CVE-2009-4370
Description
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 6.x Menu module fails to sanitize menu descriptions, enabling cross-site scripting by authenticated users with menu creation permissions.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Menu module of Drupal Core 6.x, specifically in modules/menu/menu.admin.inc. The module does not properly sanitize user-supplied menu descriptions when rendering the menu administration overview page. Any authenticated user with the permission to create new menus can inject arbitrary HTML and script code via the menu description field. Drupal 6.x versions prior to 6.15 are affected; Drupal 5.x is not impacted by this particular issue [1].
Exploitation
An attacker must have an authenticated account on a Drupal 6.x site and be granted the "create new menus" permission. The attacker creates a new menu and enters malicious JavaScript or HTML into the menu description field. When a privileged user (such as an administrator) visits the menu administration overview page, the injected script executes in the context of the victim's session [1].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML into the menu administration page. This can lead to session hijacking, privilege escalation, or administrative account takeover by, for example, tricking an admin into performing actions or stealing authentication cookies. The CVSS score is not provided, but the advisory rates the risk as "Not critical" [1].
Mitigation
Upgrade to Drupal 6.15, which was released on December 16, 2009, and includes the fix. For sites unable to upgrade immediately, the advisory provides a patch (SA-CORE-2009-009-6.14.patch) that can be applied to Drupal 6.14 as a temporary workaround [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc-4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
- Range: >=6.0 <6.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patchnvdPatch
- secunia.com/advisories/37815nvdPatchVendor Advisory
- drupal.org/node/661586nvdVendor Advisory
- www.securityfocus.com/bid/37372nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/54872nvd
News mentions
0No linked articles in our index yet.