Vulnerability CVE-2009-3156 - CERT Civis.Net

Vulnerability Name:

CVE-2009-3156 (CCN-52143)

Assigned:

2009-07-29

Published:

2009-07-29

Updated:

2017-08-17

Summary:

Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type label" field.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
1.8 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2009-3156

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/534332

Source: CCN
Type: DRUPAL-SA-CONTRIB-2009-046
SA-CONTRIB-2009-046 - Date - Cross Site Scripting

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/534636

Source: CCN
Type: Drupal Web site
Date Module

Source: MISC
Type: UNKNOWN
http://lampsecurity.org/drupal-date-xss-vulnerability

Source: CCN
Type: SA36006
Drupal Date Module Script Insertion Vulnerability

Source: SECUNIA
Type: Vendor Advisory
36006

Source: OSVDB
Type: UNKNOWN
56608

Source: CCN
Type: OSVDB ID: 56608
Date Module for Drupal Field Label XSS

Source: BID
Type: Patch
35790

Source: CCN
Type: BID-35790
Multiple Drupal Modules Date Wizard HTML Injection Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2009-2103

Source: XF
Type: UNKNOWN
drupal-date-datetools-xss(52143)

Source: XF
Type: UNKNOWN
drupal-date-datetools-xss(52143)

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-8162

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-8184

Vulnerable Configuration:

Configuration 1:

cpe:/a:drupal:drupal:*:*:*:*:*:*:*:*

AND

cpe:/a:karen_stevenson:date:6.x-1.0-beta:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-1.x-dev:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc1:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc2:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc3:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc4:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc5:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0:rc6:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0-beta:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0-beta2:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0-beta3:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.0-beta4:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.1:*:*:*:*:*:*:*

OR cpe:/a:karen_stevenson:date:6.x-2.2:*:*:*:*:*:*:*

Denotes that component is vulnerable