CVE-2009-3157
Description
Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Drupal Calendar module 6.x before 6.x-2.2 has a stored XSS vulnerability where authenticated users with content type creation privileges can inject arbitrary script via the content type title.
Vulnerability
The Calendar module for Drupal 6.x, prior to version 6.x-2.2, contains a stored cross-site scripting (XSS) vulnerability [1]. The module fails to properly escape user input when displaying titles of content types that have Date fields. A user with the “create new content types” privilege can inject arbitrary web script or HTML through the title of a content type [1].
Exploitation
An attacker must be an authenticated user who has permission to create new content types (including via the Date module’s Date Tools sub-module) [1]. The attacker creates a new content type with a crafted title that includes malicious JavaScript or HTML. When other users visit pages where the Calendar module displays the content type title, the injected script executes in their browsers. No additional privileges or user interaction beyond viewing the page is required for the payload to execute.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim’s browser session [1]. This can lead to full administrative access if the victim is an administrator, as the attacker can steal cookies, perform actions on behalf of the user, or inject further malicious content. The vulnerability is rated moderately critical [1].
Mitigation
Upgrade to Calendar 6.x-2.2, which includes a fix adding check_plain() to sanitize output [1][2]. The release containing this fix was made available on July 29, 2009 [1]. Users who cannot upgrade should restrict the “administer content types” permission to trusted users only, but upgrading is the definitive solution.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:*:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.1:*:*:*:*:*:*:*
- cpe:2.3:a:karen_stevenson:calendar:6.x-2.x-dev:*:*:*:*:*:*:*
- (no CPE)range: <6.x-2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- drupal.org/node/534336nvdPatchVendor Advisory
- drupal.org/node/534652nvdPatchVendor Advisory
- www.securityfocus.com/bid/35790nvdPatch
- secunia.com/advisories/36012nvdVendor Advisory
- lampsecurity.org/drupal-date-xss-vulnerabilitynvdURL Repurposed
- www.osvdb.org/56611nvd
News mentions
0No linked articles in our index yet.