CVE-2009-4369 : Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/

Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.

Published 2009-12-21 16:30:01

Updated 2017-08-17 01:31:34

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2009-4369

Drupal » Drupal » Version: 5.0
cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.1
cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.2
cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.12
cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Beta3
cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Rc-4
cpe:2.3:a:drupal:drupal:6.0:rc-4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.20
cpe:2.3:a:drupal:drupal:5.20:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.19
cpe:2.3:a:drupal:drupal:5.19:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.13
cpe:2.3:a:drupal:drupal:5.13:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.17
cpe:2.3:a:drupal:drupal:5.17:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.5
cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.0 Update RC1
cpe:2.3:a:drupal:drupal:5.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.2
cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.10
cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.9
cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.1
cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0
cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.11
cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.3
cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.12
cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.11
cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.8
cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.6
cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.7
cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.5
cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.14
cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.13
cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Rc-1
cpe:2.3:a:drupal:drupal:6.0:rc-1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Rc-3
cpe:2.3:a:drupal:drupal:6.0:rc-3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Rc-2
cpe:2.3:a:drupal:drupal:6.0:rc-2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Beta2
cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.15
cpe:2.3:a:drupal:drupal:5.15:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.14
cpe:2.3:a:drupal:drupal:5.14:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.16
cpe:2.3:a:drupal:drupal:5.16:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.0 Update RC2
cpe:2.3:a:drupal:drupal:5.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.10
cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.0 Update Beta1
cpe:2.3:a:drupal:drupal:5.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.0 Update Beta2
cpe:2.3:a:drupal:drupal:5.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.8
cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Beta4
cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.4
cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 6.0 Update Beta1
cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.7
cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.X Update DEV
cpe:2.3:a:drupal:drupal:5.x:dev:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.18
cpe:2.3:a:drupal:drupal:5.18:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.4
cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.9
cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 5.6
cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-4369

EPSS FAQ

0.26%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-4369

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2009-4369

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-4369

http://drupal.org/node/661586

Patch;Vendor Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/54867
http://www.madirish.net/?article=441

Exploit;Patch
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch

Exploit

CVEs referencing this url
http://www.securityfocus.com/bid/37372

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2009-4369

Products affected by CVE-2009-4369

Exploit prediction scoring system (EPSS) score for CVE-2009-4369

CVSS scores for CVE-2009-4369

CWE ids for CVE-2009-4369

References for CVE-2009-4369