VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 1, 2009· Updated Apr 23, 2026

CVE-2009-1844

CVE-2009-1844

Description

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal 5.x before 5.18 and 6.x before 6.12 contain XSS vulnerabilities via UTF-8 byte sequences interpreted as UTF-7 in book exports and via taxonomy help text.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in Drupal 5.x before version 5.18 and 6.x before version 6.12 [1]. The first vector occurs in the HTML exports of books feature where crafted UTF-8 byte sequences, which are valid in UTF-8 but interpreted as UTF-7 by Internet Explorer 6 and 7, are not properly sanitized. This is an incomplete fix for CVE-2009-1575. The second vector affects the taxonomy module, allowing users with the 'administer taxonomy' permission to inject arbitrary HTML and script code via the help text of an arbitrary vocabulary [1].

Exploitation

For the first vector, an attacker needs a remote authenticated user account with edit permissions for pages in outlines (i.e., the ability to create or modify book content) [1]. The attacker crafts content containing UTF-8 byte sequences that IE6/7 will decode as UTF-7, bypassing Drupal's output filtering. If a victim using IE6 or IE7 views the generated HTML export of the book, the script can execute. For the second vector, the attacker must have the 'administer taxonomy' permission (a privileged role) and can then insert arbitrary script into the help text field of a vocabulary; any user viewing the vocabulary page will be affected (no browser-specific condition) [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML, leading to session hijacking, credential theft, or defacement within the context of the affected Drupal site. The impact is limited to authenticated users for the first vector (requiring edit permissions) and privileged users for the second (administer taxonomy), but the resulting XSS can compromise other users [1].

Mitigation

Upgrade to Drupal 5.18 or Drupal 6.12, released on 2009-May-13 [1]. For users unable to upgrade immediately, patches are available for Drupal 5.17 (SA-CORE-2009-006-5.17.patch) and Drupal 6.11 (SA-CORE-2009-006-6.11.patch) [1]. No workaround is provided for the incomplete fix; the patch must be applied. The vulnerability is not listed on the CISA KEV.

References
  1. SA-CORE-2009-006 - Drupal core - Cross site scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

30
  • Drupal/Drupal30 versions
    cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 29 more
    • cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
    • (no CPE)range: 5.x < 5.18 / 6.x < 6.12

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.