CVE-2009-2371
Description
Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Advanced Forum for Drupal 6.x, users can modify their signature to execute arbitrary code after the comment format is changed to an administrator-controlled format.
Vulnerability
Advanced Forum 6.x before 6.x-1.1, a third-party Drupal module, fails to prevent authenticated users from modifying their user signature after the associated comment format has been changed to an administrator-controlled input format [1]. This affects only the 6.x branch; the 5.x branch is not impacted by this specific flaw [1]. The vulnerability occurs because signatures do not have a separate input format and instead inherit the format of the comment with which they are displayed [1].
Exploitation
An attacker must be an authenticated user who can create comments in the forum. The vulnerability is triggered after an administrator changes the comment's input format to a format that is not normally accessible to the user (e.g., a more permissive format or one with the PHP filter enabled) [1]. The user can then edit their signature via the user profile or settings page, and the signature will be processed using that new format [1]. No special network position or race window is required; the attack sequence is: (1) administrator changes the comment format, (2) the attacker (already authenticated) edits their signature, (3) the signature is rendered with the permissive format, injecting the malicious content [1].
Impact
Successful exploitation allows a remote authenticated user to inject arbitrary HTML and script code into forum pages (stored XSS) [1]. If the PHP filter is enabled for the permissive format, the attacker may also execute arbitrary PHP code [1]. In either case, the attacker's payload is stored in the signature and executed when other users view the attacker's forum posts, potentially leading to account compromise or further administrative access [1].
Mitigation
Upgrade to Advanced Forum 6.x-1.1 (released 2009-07-01) which fixes the vulnerability [1][2]. For the 5.x branch, upgrade to 5.x-1.1 to address related issues, though the signature-specific flaw does not affect 5.x [1]. No workaround is described in the references, and this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:michelle_cox:advanced_forum:6.x-1.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:michelle_cox:advanced_forum:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:michelle_cox:advanced_forum:6.x-1.x-dev:*:*:*:*:*:*:*
- (no CPE)range: <6.x-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- drupal.org/node/507526nvdPatch
- drupal.org/node/507580nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1769nvdPatchVendor Advisory
- secunia.com/advisories/35678nvdVendor Advisory
- osvdb.org/55522nvd
News mentions
0No linked articles in our index yet.