|
Message-ID: <Pine.GSO.4.51.0906061236220.28142@faron.mitre.org> Date: Sat, 6 Jun 2009 12:36:43 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE id request: drupal On Thu, 28 May 2009, Nico Golde wrote: > Hi, > http://drupal.org/node/461886 ====================================================== Name: CVE-2009-1844 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1844 Reference: CONFIRM:http://drupal.org/node/461886 Reference: DEBIAN:DSA-1808 Reference: URL:http://www.debian.org/security/2009/dsa-1808 Reference: SECUNIA:35282 Reference: URL:http://secunia.com/advisories/35282 Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.