CVE-2009-1576

2009-05-0600:00:00

ubuntu.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.007

Percentile

79.9%

JSON

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as
used in vbDrupal before 5.17.0, allows user-assisted remote attackers to
obtain sensitive information by tricking victims into visiting the front
page of the site with a crafted URL and causing form data to be sent to an
attacker-controlled site, possibly related to multiple / (slash) characters
that are not properly handled by includes/bootstrap.inc, as demonstrated
using the search box. NOTE: this vulnerability can be leveraged to conduct
cross-site request forgery (CSRF) attacks.

Notes

Author	Note
mdeslaur	SA-CORE-2009-005

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchdrupal5< 5.7-1ubuntu1.2UNKNOWN
ubuntu8.10noarchdrupal5< 5.10-1ubuntu1.1UNKNOWN
ubuntu9.04noarchdrupal5< 5.15-1ubuntu1.1UNKNOWN
ubuntu9.04noarchdrupal6< 6.10-1ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	drupal5	< 5.7-1ubuntu1.2	UNKNOWN
ubuntu	8.10	noarch	drupal5	< 5.10-1ubuntu1.1	UNKNOWN
ubuntu	9.04	noarch	drupal5	< 5.15-1ubuntu1.1	UNKNOWN
ubuntu	9.04	noarch	drupal6	< 6.10-1ubuntu0.1	UNKNOWN