VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 21, 2009· Updated Apr 23, 2026

CVE-2009-4371

CVE-2009-4371

Description

Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal 6.14-6.15 locale module XSS allows authenticated users with admin languages permission to inject arbitrary JS via custom language name fields.

Vulnerability

The Locale module (modules/locale/locale.module) in Drupal Core 6.14 (and likely 6.15) contains a stored cross-site scripting (XSS) vulnerability. The module fails to sanitize user-supplied input in the 'Language name in English' and 'Native language name' fields of the custom language form. The unescaped values are later displayed to other users, such as on the user administration page. Affected versions include Drupal 6.14 and possibly 6.15 [1].

Exploitation

An attacker must be authenticated and possess the 'administer languages' permission. The attacker navigates to the custom language form under Administer > Site configuration > Languages, expands the 'Custom language' section, and enters a script payload (e.g., ``) in either the 'Language name in English' or 'Native language name' field. Submitting the form stores the payload. When an administrator visits the user management page (Administer > User management > Users), the stored JavaScript executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session. This can lead to session hijacking, administrative account compromise, and potentially full web server process compromise through further exploitation [1].

Mitigation

The Drupal project released a patch that applies filter_xss to the language name options array. The fix was introduced in Drupal 6.15 after the vulnerability was discovered. Users should upgrade to Drupal 6.15 or later. No workaround is documented beyond ensuring that only trusted users have the 'administer languages' permission [1].

References
  1. Drupal 6.x Core XSS Vulnerability

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Drupal/Drupal2 versions
    cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:6.15:*:*:*:*:*:*:*
  • Alloy Rs/Corellm-fuzzy
    Range: 6.14 or possibly 6.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output sanitization in the locale module allows user-supplied language names to be rendered unsanitized in the user management page."

Attack vector

A remote authenticated attacker with the "administer languages" permission can inject arbitrary HTML or JavaScript via the "Language name in English" or "Native language name" fields in the Custom language form [ref_id=1]. When an administrator later visits the user management page (Administer → User management → Users), the unsanitized language name is rendered in the language selection dropdown, executing the injected script [ref_id=1]. This is a stored XSS vulnerability [CWE-79].

Affected code

The vulnerability resides in `modules/locale/locale.module` in the `locale_user()` function. The `$names` array, which contains language name strings, is passed directly as the `#options` value for a form element without sanitization [ref_id=1]. The patch adds `array_map('filter_xss', $names)` to filter the output before display [ref_id=1].

What the fix does

The patch applies `array_map('filter_xss', $names)` to the `$names` array before it is used as the `#options` value in the language selection form element [ref_id=1]. The `filter_xss()` function strips dangerous HTML tags and attributes from each language name, preventing stored XSS. The vendor response advises upgrading to the latest version [ref_id=1].

Preconditions

  • authAttacker must have the 'administer languages' permission
  • configLocale module must be enabled
  • inputAttacker must be able to submit the Custom language form

Reproduction

1. Install Drupal 6.14 and enable the Locale module from Administer → Modules. 2. Navigate to Administer → Site configuration → Languages and click "Add language". 3. Expand the form area by clicking "Custom language". 4. Enter `<script>alert('xss1');</script>` in the "Language name in English" field and `<script>alert('xss2');</script>` in the "Native language name" field. 5. Enter arbitrary values for "Direction" and click "Add custom language". 6. Navigate to Administer → User management → Users and click "Add user" to observe the rendered JavaScript [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.