Unrated severityNVD Advisory· Published May 20, 2009· Updated Apr 23, 2026

CVE-2009-1738

Description

Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with administrator feed permissions to inject arbitrary web script or HTML via unspecified vectors in "aggregator items."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Drupal Feed Block module allows authenticated administrators to inject arbitrary script via unsanitized aggregator item titles.

Vulnerability

The Feed Block module for Drupal 6.x fails to sanitize aggregator item titles before display. Versions 6.x-1.x prior to 6.x-1.1 are affected [1]. The vulnerability exists in the handling of external feed items, where the module does not properly escape output, allowing stored cross-site scripting (XSS) [2].

Exploitation

An attacker must be a remote authenticated user with the "administer news feeds" permission [2]. They can inject arbitrary web script or HTML into aggregator items, which will be executed when other users view the block [2].

Impact

Successful exploitation leads to cross-site scripting, potentially allowing the attacker to gain full administrative access to the Drupal site by stealing session cookies or performing actions on behalf of the victim [2].

Mitigation

Upgrade to Feed Block 6.x-1.1, released on 4 May 2009, which adds check_plain() for titles to prevent XSS [1]. No workaround is available; the module is unsupported as of later versions [1].

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ivanjaros/Feed Block5 versions
cpe:2.3:a:ivanjaros:feed_block:6.x-1.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:ivanjaros:feed_block:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ivanjaros:feed_block:6.x-1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:ivanjaros:feed_block:6.x-1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:ivanjaros:feed_block:6.x-1.x:dev:*:*:*:*:*:*
- (no CPE)range: <6.x-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drupal.org/node/453098nvdPatch
drupal.org/node/461706nvdPatchVendor Advisory
secunia.com/advisories/35044nvdVendor Advisory
www.vupen.com/english/advisories/2009/1319nvdVendor Advisory
www.osvdb.org/54429nvd
www.securityfocus.com/bid/34953nvd
exchange.xforce.ibmcloud.com/vulnerabilities/50521nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000