VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 24, 2009· Updated Apr 23, 2026

CVE-2009-3363

CVE-2009-3363

Description

Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x before 5.x-1.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the "plain textarea editor."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in the BUEditor Drupal module allows remote attackers to inject arbitrary web script or HTML via the plain textarea editor.

Vulnerability

The BUEditor module for Drupal, versions 5.x before 5.x-1.2 and 6.x before 6.x-1.4, contains a cross-site scripting (XSS) vulnerability. The issue occurs because input to the "plain textarea editor" is not properly sanitized before being rendered in the Live preview feature [1].

Exploitation

An attacker can exploit this vulnerability by tricking a logged-in user into visiting a crafted page that uses the Live preview feature of BUEditor. No special privileges are required, and the attack can be carried out remotely [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to account hijacking, as the attacker may steal session cookies or perform actions on behalf of the victim [1].

Mitigation

Users should upgrade to BUEditor version 6.x-1.4 (for Drupal 6.x) or version 5.x-1.2 (for Drupal 5.x). The fix was released on September 9, 2009 [1]. Drupal core is not affected; only sites using the contributed BUEditor module need to take action [1].

References
  1. SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Ufku Bayburt/Bueditor8 versions
    cpe:2.3:a:ufku_bayburt:bueditor:5.x-1.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:ufku_bayburt:bueditor:5.x-1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:5.x-1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:5.x-1.x-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:6.x-1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:6.x-1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:6.x-1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:6.x-1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ufku_bayburt:bueditor:6.x-1.x-dev:*:*:*:*:*:*:*
  • Drupal/Bueditorllm-fuzzy
    Range: <5.x-1.2 and <6.x-1.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.