VDB
CVE-2009-1844
CVE-2009-1844
PUBLISHED
CVSS 3.5 LOW
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
EPSS 0.19% · 40.9th percentile
Risk Scores
CVSS 2.0
3.5
EPSS Score
0.19%
40.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| drupal | drupal | 5.8, 5.0, 5.2 |
| n/a | n/a | n/a |
Timeline
- Jun 1, 2009 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- http://drupal.org/node/461886 url
- DSA-1808 vendor-advisory
- 35282 third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2009-1844 advisory