Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-4371

Published: 21 December 2009

Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.

Notes

AuthorNote
mdeslaur 
although CVE-2009-4371 was mentioned in the recently-published
drupal packages, it isn't actually fixed as this CVE was not
part of SA-CORE-2009-009.
ari-tczew 
fix-upload was published

Priority

Low

Status

Package Release Status
drupal6
Launchpad, Ubuntu, Debian 		dapper Does not exist

hardy Does not exist

intrepid Does not exist

jaunty
Released
karmic
Released
upstream Needed

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading