VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2009· Updated Apr 23, 2026

CVE-2009-3206

CVE-2009-3206

Description

Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, allow remote authenticated users, with "administer imagecache" permissions, to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in ImageCache Drupal module allows authenticated users with 'administer imagecache' permission to inject arbitrary web script or HTML.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the ImageCache module for Drupal, versions 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10 [1]. The module fails to properly escape user-supplied preset variables before output, allowing injection of arbitrary web script or HTML [1]. The vulnerability requires the attacker to have the "administer imagecache" permission [1].

Exploitation

An authenticated remote user with the "administer imagecache" permission can exploit this by supplying crafted input for preset variables that are not properly sanitized [1]. The attacker does not need any special network position beyond being an authenticated user with the required permission [1]. The exact vectors are unspecified but involve the manipulation of preset configuration fields [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the affected site, potentially leading to session hijacking, defacement, or theft of sensitive information [1]. The impact is limited to users with the "administer imagecache" permission, reducing the pool of potential attackers to trusted roles [1].

Mitigation

Users should upgrade to ImageCache 5.x-2.5 for Drupal 5.x or 6.x-2.0-beta10 for Drupal 6.x [1]. The 6.x version is beta software and not recommended for production sites; site administrators should weigh the risk [1]. No workaround is provided in the advisory [1].

References
  1. SA-CONTRIB-2009-051 - ImageCache - Multiple vulnerabilities

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

32
  • Drewish/Imagecache32 versions
    cpe:2.3:a:drewish:imagecache:5.x-1.0:*:*:*:*:*:*:*+ 31 more
    • cpe:2.3:a:drewish:imagecache:5.x-1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.x:dev:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.x:dev:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-1.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-1.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta6:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta7:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta8:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta9:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.x-dev:*:*:*:*:*:*:*
    • (no CPE)range: >= 5.x < 5.x-2.5, >= 6.x < 6.x-2.0-beta10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.