CVE-2009-4602

Vulnerability

The Randomizer module for Drupal versions 5.x through 5.x-1.0 and 6.x through 6.x-1.0 does not sanitize user-supplied data before displaying it, leading to a cross-site scripting (XSS) vulnerability in the form input handling [1]. The module accepts input as parameters for generating pseudo-random number lists and fails to escape these parameters when rendering output [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or form submission that includes arbitrary HTML or JavaScript in the user-supplied parameters [1]. No authentication is required, as the vulnerable input is exposed to remote unauthenticated users [1]. The attacker must convince a victim to visit a specially crafted page or link that submits the malicious payload to the Randomizer module [1].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the context of the victim's session [1]. This can lead to information disclosure, session hijacking, or other actions that the victim's browser can perform within the Drupal site [1]. The attacker does not gain direct control over the server but can execute actions on behalf of the victim.

Mitigation

The Randomizer module is not maintained and no patch is available [1]. The only mitigation is to disable the module entirely [1]. Sites that do not use this module are not affected [1]. No known CISA KEV listing exists for this CVE.