Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 6 Jun 2009 12:36:43 -0400 (EDT)
From: "Steven M. Christey" <>
Subject: Re: CVE id request: drupal

On Thu, 28 May 2009, Nico Golde wrote:

> Hi,

Name: CVE-2009-1844
Status: Candidate
Reference: CONFIRM:
Reference: DEBIAN:DSA-1808
Reference: URL:
Reference: SECUNIA:35282
Reference: URL:

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x
before 5.18 and 6.x before 6.12 allow (1) remote authenticated users
to inject arbitrary web script or HTML via crafted UTF-8 byte
sequences that are treated as UTF-7 by Internet Explorer 6 and 7,
which are not properly handled in the "HTML exports of books" feature;
and (2) allow remote authenticated users with administer taxonomy
permissions to inject arbitrary web script or HTML via the help text
of an arbitrary vocabulary.  NOTE: vector 1 exists because of an
incomplete fix for CVE-2009-1575.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.