CVE-2009-0603

Vulnerability

Cross-site scripting (XSS) vulnerability in index.php within the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users with "administer content types" privileges to inject arbitrary web script or HTML via the description parameter (also known as the Help field) [1]. This flaw resides in the input validation of the Help field when the module processes content type configurations.

Exploitation

An attacker must have a valid Drupal account with the "administer content types" permission. This privilege is typically granted to administrators or trusted content editors. The attacker crafts a malicious script or HTML payload and submits it as the description (Help field) value when editing or creating a content type that uses the Link module. No additional user interaction beyond normal administrative actions is required to inject the payload.

Impact

Successful exploitation results in stored cross-site scripting (XSS). When other users with access to the affected content type configuration view the Help text, the injected script executes in their browser context. This can lead to session hijacking, credential theft, or further administrative actions performed on behalf of the victim, compromising the confidentiality and integrity of the Drupal site.

Mitigation

The Drupal Link module 5.x-2.5 is affected. A fixed version should be obtained from the Drupal project or third-party maintainers. As of the publication date (2009-02-16), a patch or update may not have been broadly released; users should monitor the Drupal security advisory channels. If no official fix is available, restrict "administer content types" privileges to trusted users only as a workaround.