Candidate: CVE-2009-1844
PublicDate: 2009-06-01 14:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1844
 http://drupal.org/node/461886
Description:
 Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before
 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject
 arbitrary web script or HTML via crafted UTF-8 byte sequences that are
 treated as UTF-7 by Internet Explorer 6 and 7, which are not properly
 handled in the "HTML exports of books" feature; and (2) allow remote
 authenticated users with administer taxonomy permissions to inject
 arbitrary web script or HTML via the help text of an arbitrary vocabulary.
 NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
Ubuntu-Description:
Notes:
 mdeslaur> SA-CORE-2009-006
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_drupal5:
upstream_drupal5: released (5.18)
dapper_drupal5: DNE
hardy_drupal5: released (5.7-1ubuntu1.2)
intrepid_drupal5: released (5.10-1ubuntu1.1)
jaunty_drupal5: released (5.15-1ubuntu1.1)
karmic_drupal5: not-affected (5.18-1.1ubuntu2)
devel_drupal5: DNE

Patches_drupal6:
upstream_drupal6: released (6.12)
dapper_drupal6: DNE
hardy_drupal6: DNE
intrepid_drupal6: DNE
jaunty_drupal6: released (6.10-1ubuntu0.1)
karmic_drupal6: not-affected (6.12-1.1ubuntu1)
devel_drupal6: not-affected (6.12-1.1ubuntu1)