Vulnerability Name:

CVE-2009-0817 (CCN-48980)

Assigned:2009-02-27
Published:2009-02-27
Updated:2017-08-17
Summary:Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with "administer site configuration" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module.
CVSS v3 Severity:2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-0817

Source: CONFIRM
Type: Exploit, Vendor Advisory
http://drupal.org/node/385950

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/386604

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/386606

Source: CCN
Type: Drupal Web site
Protected node

Source: CCN
Type: (L)inux (A)pache (M)ySQL (P)HP Security Web site
Drupal Protected Node Module XSS

Source: MISC
Type: Exploit
http://lampsecurity.org/node/28

Source: OSVDB
Type: UNKNOWN
52300

Source: CCN
Type: SA34060
Drupal Protected Node Module Script Insertion Vulnerability

Source: SECUNIA
Type: Vendor Advisory
34060

Source: CCN
Type: OSVDB ID: 52300
Protected Node Module for Drupal index.php protected_node_info Parameter XSS

Source: CCN
Type: BID-33936
Drupal Protected node Module 'Password page info' HTML Injection Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-0572

Source: XF
Type: UNKNOWN
protectednode-passwordpage-xss(48980)

Source: XF
Type: UNKNOWN
protectednode-passwordpage-xss(48980)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:drupal:protected_node_module:5.x:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:5.x-1.0:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:5.x-1.2:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:5.x-1.3:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:5.x-1.x-dev:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:6.x-1.0:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:6.x-1.2:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:6.x-1.3:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:protected_node_module:6.x-1.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:drupal:drupal:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:drupal:protected_node_module:5.x-1.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    drupal protected node module 5.x
    drupal protected node module 5.x-1.0
    drupal protected node module 5.x-1.2
    drupal protected node module 5.x-1.3
    drupal protected node module 5.x-1.x-dev
    drupal protected node module 6.x-1.0
    drupal protected node module 6.x-1.2
    drupal protected node module 6.x-1.3
    drupal protected node module 6.x-1.4
    drupal drupal *
    drupal protected node module 5.x-1.3