CVE-2009-0817 - OpenCVE

Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with "administer site configuration" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal Protected Node Module

Configuration 1 [-]

AND

OR	cpe:2.3:a:drupal:protected_node_module:5.x:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.0:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.2:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.3:::::::*
	cpe:2.3:a:drupal:protected_node_module:5.x-1.x-dev:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.0:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.2:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.3:::::::*
	cpe:2.3:a:drupal:protected_node_module:6.x-1.4:::::::*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://drupal.org/node/385950
http://drupal.org/node/386604
http://drupal.org/node/386606
http://lampsecurity.org/node/28
http://osvdb.org/52300
http://secunia.com/advisories/34060
http://www.vupen.com/english/advisories/2009/0572
https://exchange.xforce.ibmcloud.com/vulnerabilities/48980

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-03-05T02:00:00

Updated: 2024-08-07T04:48:52.319Z

Reserved: 2009-03-04T00:00:00

Link: CVE-2009-0817

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-03-05T02:30:00.610

Modified: 2024-02-14T01:17:43.863

Link: CVE-2009-0817

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with \"administer site configuration\" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/385950"}, {"name": "34060", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34060"}, {"name": "protectednode-passwordpage-xss(48980)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48980"}, {"name": "ADV-2009-0572", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/0572"}, {"name": "52300", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/52300"}, {"tags": ["x_refsource_MISC"], "url": "http://lampsecurity.org/node/28"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/386606"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/386604"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0817", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with \"administer site configuration\" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://drupal.org/node/385950", "refsource": "CONFIRM", "url": "http://drupal.org/node/385950"}, {"name": "34060", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34060"}, {"name": "protectednode-passwordpage-xss(48980)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48980"}, {"name": "ADV-2009-0572", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/0572"}, {"name": "52300", "refsource": "OSVDB", "url": "http://osvdb.org/52300"}, {"name": "http://lampsecurity.org/node/28", "refsource": "MISC", "url": "http://lampsecurity.org/node/28"}, {"name": "http://drupal.org/node/386606", "refsource": "CONFIRM", "url": "http://drupal.org/node/386606"}, {"name": "http://drupal.org/node/386604", "refsource": "CONFIRM", "url": "http://drupal.org/node/386604"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:48:52.319Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/385950"}, {"name": "34060", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34060"}, {"name": "protectednode-passwordpage-xss(48980)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48980"}, {"name": "ADV-2009-0572", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/0572"}, {"name": "52300", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/52300"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lampsecurity.org/node/28"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/386606"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/386604"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0817", "datePublished": "2009-03-05T02:00:00", "dateReserved": "2009-03-04T00:00:00", "dateUpdated": "2024-08-07T04:48:52.319Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:protected_node_module:5.x:*:*:*:*:*:*:*", "matchCriteriaId": "CA409222-79A5-4C9D-8D79-5F634A61E0FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:5.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "63D34BF7-DDAE-4F29-93CD-503679FAAF24", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:5.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "BEEE7794-247D-4303-A426-C68CD0F934AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:5.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "8F817243-DF82-4B24-992C-6FA4CC0038C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:5.x-1.x-dev:*:*:*:*:*:*:*", "matchCriteriaId": "A507F00C-8570-4265-86F4-CE13CD59F79D", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:6.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "CF91738E-F092-4339-95C1-BA5696C3B935", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "6AE752A2-612D-4E1D-9A6B-3D36CC009245", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:6.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "171053F8-66E2-4DA1-A54B-3C6D96488E50", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:protected_node_module:6.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "9C785797-2B53-4799-9B52-07FCC418ADD4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "799CA80B-F3FA-4183-A791-2071A7DA1E54", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with \"administer site configuration\" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo Protected Node v5.x anterior v5.x-1.4 y v6.x anterior a v6.x-1.5 para Drupal, permite a usuarios autenticados remotamente con permisos de \"configuraci\u00f3n administrativa del sitio\", la inyecci\u00f3n de secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del campo Password Page Info, que no est\u00e1 manejado adecuadamente por la funci\u00f3n protected_node_enterpassword en protected_node.module."}], "id": "CVE-2009-0817", "lastModified": "2024-02-14T01:17:43.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-03-05T02:30:00.610", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://drupal.org/node/385950"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/386604"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/386606"}, {"source": "cve@mitre.org", "tags": ["Exploit", "URL Repurposed"], "url": "http://lampsecurity.org/node/28"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/52300"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34060"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/0572"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48980"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}