CVE-2009-1576

Publication date 6 May 2009

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Description

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.

Read the notes from the security team

Status

Package Ubuntu Release Status
drupal5 9.10 karmic
Not affected
9.04 jaunty
Fixed 5.15-1ubuntu1.1
8.10 intrepid
Fixed 5.10-1ubuntu1.1
8.04 LTS hardy
Fixed 5.7-1ubuntu1.2
6.06 LTS dapper Not in release
drupal6 9.10 karmic
Not affected
9.04 jaunty
Fixed 6.10-1ubuntu0.1
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release

Notes

mdeslaur

SA-CORE-2009-005

References

Other references