CVE-2009-2074 in Nodequeueinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via vocabulary names.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/11/2018

The vulnerability described in CVE-2009-2074 represents a critical cross-site scripting weakness within the Nodequeue module for Drupal content management systems. This flaw affects versions 5.x prior to 5.x-2.7 and 6.x prior to 6.x-2.2, creating a significant security risk for Drupal installations that utilize this module. The vulnerability specifically targets the handling of vocabulary names within the taxonomy administration interface, where user input is not properly sanitized before being rendered back to users.

The technical nature of this vulnerability stems from insufficient input validation and output encoding within the Nodequeue module's administrative components. When authenticated users with administer taxonomy permissions create or modify vocabulary names, the module fails to adequately escape or filter special characters that could be interpreted as HTML or JavaScript code. This improper handling allows malicious actors to inject arbitrary web scripts or HTML content that executes in the context of other users' browsers who view the affected taxonomy pages.

From an operational perspective, this vulnerability poses substantial risks to Drupal websites relying on Nodequeue for content organization and management. Attackers with minimal privileges can leverage this weakness to execute malicious code in the browsers of other users, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The impact is particularly severe because the vulnerability requires only authenticated access with specific permissions, making it exploitable by insiders or compromised accounts with taxonomy administration rights. The XSS payload can be crafted to steal cookies, modify page content, or perform actions on behalf of victims, depending on the target audience and their privileges.

The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications, and represents a classic example of insufficient output escaping in web applications. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1059.001 for command and control through scripting, and T1531 for credential access through web application attacks. Organizations using affected Drupal versions should immediately upgrade to patched releases or implement temporary workarounds such as input sanitization filters and enhanced access controls to limit the scope of users who can modify taxonomy vocabulary names. The security implications extend beyond immediate exploitation potential to include long-term damage to user trust and potential data breaches that could compromise sensitive organizational information.

This vulnerability demonstrates the critical importance of proper input validation and output encoding in web application security, particularly within content management systems where user-generated content and administrative functions intersect. The attack vector highlights the need for comprehensive security testing of contributed modules and the implementation of defense-in-depth strategies that protect against both external and internal threats within web applications.

Reservation

06/16/2009

Disclosure

06/16/2009

Moderation

accepted

Entry

VDB-48618

CPE

ready

EPSS

0.01028

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!