VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 20, 2009· Updated Apr 23, 2026

CVE-2009-1342

CVE-2009-1342

Description

Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Drupal CCK comment reference module before 6.x-1.2 allows remote attackers to inject arbitrary web script or HTML via comment titles on node edit forms.

Vulnerability

The CCK comment reference module for Drupal 6.x before version 6.x-1.2 fails to properly filter comment titles when displaying a node edit form. This allows an attacker to inject arbitrary web script or HTML through specially crafted comment titles associated with a node edit form.

Exploitation

An attacker with the ability to create or modify comment titles can inject malicious code. When a user (especially an administrator) accesses a node edit form that includes a comment reference field, the injected script executes in the context of the victim's session. The attack is remote and does not require authentication beyond normal comment submission privileges.

Impact

Successful exploitation leads to cross-site scripting (XSS), allowing the attacker to execute arbitrary web script or HTML in the victim's browser. This can result in session hijacking, credential theft, or gaining full administrative access to the Drupal site.

Mitigation

Upgrade to CCK comment reference version 6.x-1.2, which fixes the issue. No workaround is available. The advisory was published by Drupal on April 15, 2009 [1].

References
  1. SA-CONTRIB-2009-021 CCK comment reference - Cross site scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Drupal/Cck Comment Reference3 versions
    cpe:2.3:a:drupal:cck_comment_reference:6.x:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:drupal:cck_comment_reference:6.x:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:cck_comment_reference:6.x-1.1:*:*:*:*:*:*:*
    • (no CPE)range: <6.x-1.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.