CVE-2008-6170
Description
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 5.x before 5.12 and 6.x before 6.6 allow authenticated users to inject arbitrary web script or HTML via the book page title.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Drupal 5.x before version 5.12 and 6.x before version 6.6. The bug is located in the book module, where the title of book pages is not properly escaped before being rendered. This allows authenticated users who have the "create book content" permission or the permission to edit any node in the book hierarchy to inject arbitrary HTML and script code via the book page title field [2].
Exploitation
An attacker must have a valid Drupal account with the necessary permissions (create book content or edit node book hierarchy). The attacker then crafts a malicious title containing JavaScript and creates or edits a book page. When other users view that page, the script executes in the context of their session, potentially allowing further actions such as administrator privilege escalation [2].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML, which can lead to session hijacking, credential theft, or administrative account takeover. The attack is considered a cross-site scripting vulnerability that may lead to the attacker gaining administrator access [2].
Mitigation
Drupal 5.12 and Drupal 6.6, released on 2008-October-22, contain the fix [2]. Users running Drupal 5.x should upgrade to 5.12, and those on 6.x should upgrade to 6.6. Patches (SA-2008-067-5.11.patch and SA-2008-067-6.5.patch) are available for those who cannot upgrade immediately [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
- (no CPE)range: <5.12, <6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- drupal.org/node/324824nvdPatchVendor Advisory
- secunia.com/advisories/32297nvdVendor Advisory
- secunia.com/advisories/32441nvd
- www.securityfocus.com/bid/31882nvd
- www.vupen.com/english/advisories/2008/2913nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/46052nvd
- www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.htmlnvd
News mentions
0No linked articles in our index yet.