VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 8, 2009· Updated Apr 23, 2026

CVE-2009-2373

CVE-2009-2373

Description

Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Drupal Forum module allows remote attackers to inject arbitrary web script or HTML via crafted URL arguments.

Vulnerability

The Forum module in Drupal 6.x before version 6.13 contains a cross-site scripting (XSS) vulnerability due to improper handling of certain arguments obtained from the URL [1]. This allows remote attackers to inject arbitrary web script or HTML into forum pages. The issue affects Drupal 6.x only [1].

Exploitation

An attacker can exploit this vulnerability by crafting a specially crafted URL containing malicious script code. The attacker then entices a suitably privileged user, such as an administrator, to visit that URL [1]. No authentication or special privileges are required for the attacker to craft the URL, but user interaction (the victim visiting the URL) is necessary.

Impact

Successful exploitation allows the attacker to insert arbitrary HTML and script code into forum pages [1]. This cross-site scripting attack can lead to the malicious user gaining administrative access to the Drupal site, potentially compromising the entire installation [1].

Mitigation

The vulnerability is fixed in Drupal 6.13 [1]. Users should upgrade to Drupal 6.13 or later immediately. No workarounds are provided in the advisory. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

45
  • Drupal/Drupal45 versions
    cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 44 more
    • cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.1_rev1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.5.:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
    • (no CPE)range: >=6.0, <6.13

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.