VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 27, 2009· Updated Apr 23, 2026

CVE-2009-2610

CVE-2009-2610

Description

Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in the Links Related module of Drupal's Links Package via improperly escaped title fields.

Vulnerability

The Links Related module in the Links Package for Drupal versions 5.x before 5.x-1.13 and 6.x before 6.x-1.2 contains a cross-site scripting (XSS) vulnerability. The module does not properly escape user input used as the title on certain pages, allowing remote authenticated users to inject arbitrary web script or HTML via the title field [1][2][3].

Exploitation

An authenticated user with privileges to create content can exploit this vulnerability by inserting malicious script into the title field. No additional network position or write access beyond content creation rights is required. The attacker submits a crafted title that, when rendered on a page by the Links Related module, executes the injected script in the context of the victim's browser [3].

Impact

Successful exploitation allows the attacker to perform cross-site scripting attacks, potentially leading to full administrative access to the Drupal site. The impact is information disclosure and privilege escalation, as the attacker can steal session cookies, perform actions on behalf of the victim, or inject further malicious content [3].

Mitigation

The vulnerability is fixed in Links Package 5.x-1.13 and 6.x-1.2, both released on 24 June 2009 [1][2][3]. Sites using earlier versions should upgrade immediately. No workaround is provided; the solution is to upgrade to the patched versions. These releases are marked as security updates [1][2].

References
  1. links 5.x-1.13
  2. links 6.x-1.2
  3. SA-CONTRIB-2009-039 - Links Package - Cross Site Scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27
  • Scott Courtney/Links Package26 versions
    cpe:2.3:a:scott_courtney:links_package:5.x-1.11:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.11:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.12:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.12-beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:5.x-1.x-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta10:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta11:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta12:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta13:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta14:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta15:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta2:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta3:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta5:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta6:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.0-beta7:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:scott_courtney:links_package:6.x-1.x-dev:*:*:*:*:*:*:*
  • Drupal/Links Relatedllm-create
    Range: 5.x <5.x-1.13, 6.x <6.x-1.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.