1
Candidate: CVE-2009-2372
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2372
5
http://drupal.org/node/507572
7
Drupal 6.x before 6.13 does not prevent users from modifying user
8
signatures after the associated comment format has been changed to an
9
administrator-controlled input format, which allows remote authenticated
10
users to inject arbitrary web script, HTML, and possibly PHP code via a
11
crafted user signature.
14
mdeslaur> SA-CORE-2009-007
21
upstream_drupal6: released (6.13)
25
jaunty_drupal6: released (6.10-1ubuntu0.1)
26
devel_drupal6: not-affected (6.12-1.1ubuntu1)