VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 21, 2009· Updated Apr 23, 2026

CVE-2009-4369

CVE-2009-4369

Description

Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Drupal Contact module allows authenticated admins to inject arbitrary HTML/JS via category name.

Vulnerability

The Contact module in Drupal Core versions 5.x before 5.21 and 6.x before 6.15 contains a cross-site scripting (XSS) vulnerability. The module fails to sanitize the output of contact category names before display on the contact administration page. The vulnerability resides in modules/contact/contact.admin.inc or modules/contact/contact.module. [1][2]

Exploitation

An attacker must have the 'administer site-wide contact form' permission. The attacker creates or edits a contact category and enters malicious script (e.g., `) in the 'Category' field. When the category is saved, the script is rendered on the contact administration page (?q=admin/build/contact`). No user interaction beyond the attacker's own actions is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the administration interface. This can lead to compromise of administrative accounts, potentially resulting in full site control. The CIA impact is primarily integrity and confidentiality, as the attacker can steal session cookies or perform actions on behalf of an admin. [1][2]

Mitigation

The vulnerability is fixed in Drupal 5.21 and 6.15, released on 2009-12-16. Users should upgrade immediately. For those unable to upgrade, patches are available: SA-CORE-2009-009-6.14.patch for Drupal 6.14 and SA-CORE-2009-009-5.20.patch for Drupal 5.20. [2]

References
  1. Drupal 5.x and 6.x Core Contact Form XSS Vulnerability
  2. SA-CORE-2009-009 - Drupal Core - Cross site scripting

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

49
  • Drupal/Drupal48 versions
    cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*+ 47 more
    • cpe:2.3:a:drupal:drupal:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.17:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.18:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.19:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.20:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:5.x:dev:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.0:rc-4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
  • Drupal/Drupal Corellm-fuzzy
    Range: 5.x before 5.21, 6.x before 6.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output sanitization in the Contact module's category name display allows stored XSS."

Attack vector

An attacker who has been granted the "administer site-wide contact form" permission can inject arbitrary web script or HTML through the contact category name field [ref_id=1]. The attacker navigates to Administer → Site building → Contact form, clicks "Add category," and enters a malicious payload such as `<script>alert('xss');</script>` as the category name [ref_id=1]. When the category list is rendered at `?q=admin/build/contact`, the unsanitized category name is output directly into the page, causing the injected script to execute in the browser of any administrator viewing the category list [CWE-79] [ref_id=1].

Affected code

The vulnerability resides in the Contact module's administrative category listing. In Drupal 6.x, the affected file is `modules/contact/contact.admin.inc`; in Drupal 5.x, it is `modules/contact/contact.module` [ref_id=1]. Both versions share the same vulnerable code path in the `contact_admin_categories()` function, where the `$category->category` value is output without sanitization [ref_id=1].

What the fix does

The patch wraps the `$category->category` output with the `filter_xss()` function, which strips dangerous HTML tags and attributes before the category name is rendered in the administrative table [ref_id=1]. In Drupal 6.x, the change is applied in `contact.admin.inc` line 16; in Drupal 5.x, the same change is applied in `contact.module` line 148 [ref_id=1]. This ensures that any script or HTML injected into the category name is neutralized before being displayed to other users [CWE-79].

Preconditions

  • authThe attacker must have the 'administer site-wide contact form' permission
  • configThe Contact module must be enabled on the Drupal site
  • networkThe attacker must have access to the administrative category creation interface

Reproduction

1. Install Drupal 6.14 (or 5.20) and enable the Contact module from Administer → Modules. 2. Navigate to Administer → Site building → Contact form and click "Add category." 3. Enter `<script>alert('xss');</script>` in the "Category" text field, enter arbitrary recipients, and click "Save." 4. Observe the JavaScript alert execute when the page loads at `?q=admin/build/contact` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.