Unrated severityNVD Advisory· Published Jun 16, 2009· Updated Apr 23, 2026

CVE-2009-2078

Description

Multiple cross-site scripting (XSS) vulnerabilities in Booktree 5.x before 5.x-7.3 and 6.x before 6.x-1.1, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) node title and (2) node body in a tree root page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Booktree module for Drupal 5.x and 6.x does not sanitize node title and body on tree root pages, allowing XSS.

Vulnerability

The Booktree module for Drupal 5.x (before 5.x-7.3) and 6.x (before 6.x-1.1) fails to properly escape node title and node body on tree root pages [2]. This allows stored cross-site scripting (XSS) attacks via crafted book nodes.

Exploitation

An attacker needs privileges to create book pages. By planting malicious script in the node title or body, the script executes on the tree root page when viewed by other users [2]. No special network position required.

Impact

Successful exploitation leads to arbitrary web script or HTML injection. This can compromise the attacker's session, potentially gaining full administrative access [2].

Mitigation

Upgrade to Booktree 5.x-7.3 for Drupal 5.x or Booktree 6.x-1.1 for Drupal 6.x [2]. No workaround disclosed; the fixes are available in those releases.

References

SA-CONTRIB-2009-035 - Booktree - Cross site scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Heine.familiedeelstra/Booktree12 versions
cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.1:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.3:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.4:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.9:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-1.x:dev:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-7.0:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-7.1:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:5.x-7.2:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:heine.familiedeelstra:booktree:6.x-1.x:dev:*:*:*:*:*:*
- (no CPE)range: 5.x < 5.x-7.3, 6.x < 6.x-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drupal.org/node/487810nvdPatchVendor Advisory
drupal.org/node/487812nvdPatchVendor Advisory
drupal.org/node/487828nvdPatchVendor Advisory
www.securityfocus.com/bid/35287nvdPatch
secunia.com/advisories/35421nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000