CVE-2009-3648 (GCVE-0-2009-3648)
Vulnerability from cvelistv5
Published
2009-10-09 14:18
Modified
2024-08-07 06:38
Severity ?
CWE
  • n/a
Summary
Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with 'administer content types' permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names.
References
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T06:38:29.900Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "servicelinks-content-type-xss(53633)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53633"
          },
          {
            "name": "36584",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/36584"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.madirish.net/?article=251"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-10-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with \u0027administer content types\u0027 permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "servicelinks-content-type-xss(53633)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53633"
        },
        {
          "name": "36584",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/36584"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.madirish.net/?article=251"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-3648",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with \u0027administer content types\u0027 permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "servicelinks-content-type-xss(53633)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53633"
            },
            {
              "name": "36584",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/36584"
            },
            {
              "name": "http://www.madirish.net/?article=251",
              "refsource": "MISC",
              "url": "http://www.madirish.net/?article=251"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-3648",
    "datePublished": "2009-10-09T14:18:00",
    "dateReserved": "2009-10-09T00:00:00",
    "dateUpdated": "2024-08-07T06:38:29.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-3648\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-10-09T14:30:00.420\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with \u0027administer content types\u0027 permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en el m\u00f3dulo de Drupal \\\"Service Links\\\" v6.x-1.0, permite inyectar HTML o scripts we aleatorios a usuarios remotos autenticados, con permisos para \\\"administrar tipos de contenido \\\", a trav\u00e9s de vectores no especificados cuando se muestran los nombres de tipo de contenido.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apsivam:service_links:6.x-1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DF61CB4-6946-493A-AB36-BF7DBBBE08BF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"799CA80B-F3FA-4183-A791-2071A7DA1E54\"}]}]}],\"references\":[{\"url\":\"http://www.madirish.net/?article=251\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"http://www.securityfocus.com/bid/36584\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53633\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.madirish.net/?article=251\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"http://www.securityfocus.com/bid/36584\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53633\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorSolution\":\"Per: http://www.madirish.net/?article=251\\r\\n\\r\\n\\r\\nPatch\\r\\n\\r\\nApplying the following patch mitigates these threats.\\r\\n\\r\\n--- service_links/service_links.module\\t2008-02-26 12:01:27.000000000 -0500\\r\\n+++ service_links/service_links.module\\t2009-10-02 06:33:21.000000000 -0400\\r\\n@@ -35,11 +35,12 @@ function service_links_admin_settings() \\r\\n     \u0027#title\u0027 =\u003e t(\u0027Where to show the service links\u0027),\\r\\n     \u0027#description\u0027 =\u003e t(\u0027Set the node types and categories you want to display links for.\u0027),\\r\\n   );\\r\\n+  $names = array_map(\u0027filter_xss\u0027, node_get_types(\u0027names\u0027));\\r\\n   $form[\u0027where_to_show_the_links\u0027][\u0027service_links_node_types\u0027] = array(\\r\\n     \u0027#type\u0027 =\u003e \u0027checkboxes\u0027,\\r\\n     \u0027#title\u0027 =\u003e t(\u0027Node types\u0027),\\r\\n     \u0027#default_value\u0027 =\u003e variable_get(\u0027service_links_node_types\u0027, array()),\\r\\n-    \u0027#options\u0027 =\u003e node_get_types(\u0027names\u0027),\\r\\n+    \u0027#options\u0027 =\u003e $names,\\r\\n   );\\r\\n   if (module_exists(\u0027taxonomy\u0027)) {\\r\\n     $form[\u0027where_to_show_the_links\u0027][\u0027service_links_category_types\u0027] = array(\\r\\n\"}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.