製品・ソフトウェアに関する情報

JVN脆弱性詳細

Drupal の Contact モジュールにおけるクロスサイトスクリプティングの脆弱性

Title	Drupal の Contact モジュールにおけるクロスサイトスクリプティングの脆弱性
Summary	Drupal の Contact モジュールには、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、任意の Web スクリプト、または HTML を注入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 16, 2009, midnight
Registration Date	Feb. 2, 2010, 11:42 a.m.
Last Update	Feb. 2, 2010, 11:42 a.m.

CVSS2.0 : 注意
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N

Affected System

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Drupal

Drupal 5.21 未満

Drupal 6.15 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-4369	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369
National Vulnerability Database (NVD)
2	CVE-2009-4369	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4369

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Asianux Technical Support Network
1	drupal-6.15-1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=785
Drupal Security announcements
2	SA-CORE-2009-009	http://drupal.org/node/661586

その他

No	Name	URL
ISS X-Force Database
1	54867	http://xforce.iss.net/xforce/xfdb/54867
Secunia Advisory
2	SA37815	http://secunia.com/advisories/37815
3	SA37824	http://secunia.com/advisories/37824
SecurityFocus
4	37372	http://www.securityfocus.com/bid/37372

Change Log

No	Changed Details	Date of change
0	[2010年02月02日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-4369

Summary	Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
Summary	Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Contact (modules/contact/contact.admin.inc o modules/contact/contact.module) en Drupal Core v5.x anteriores a v5.21 y v6.x anteriores a v6.15 permite a usuarios autenticados remotamente con permisos para "administrar formularios de contacto en todo el sitio" inyectar secuencias de comandos web o HTML de su elección mediante el nombre de categoría del contacto.
Publication Date	Dec. 22, 2009, 1:30 a.m.
Registration Date	Jan. 29, 2021, 1:26 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:drupal:drupal:5.0:::::::*
cpe:2.3:a:drupal:drupal:5.0:beta1::::::
cpe:2.3:a:drupal:drupal:5.0:beta2::::::
cpe:2.3:a:drupal:drupal:5.0:rc1::::::
cpe:2.3:a:drupal:drupal:5.0:rc2::::::
cpe:2.3:a:drupal:drupal:5.1:::::::*
cpe:2.3:a:drupal:drupal:5.2:::::::*
cpe:2.3:a:drupal:drupal:5.4:::::::*
cpe:2.3:a:drupal:drupal:5.5:::::::*
cpe:2.3:a:drupal:drupal:5.6:::::::*
cpe:2.3:a:drupal:drupal:5.7:::::::*
cpe:2.3:a:drupal:drupal:5.8:::::::*
cpe:2.3:a:drupal:drupal:5.9:::::::*
cpe:2.3:a:drupal:drupal:5.10:::::::*
cpe:2.3:a:drupal:drupal:5.11:::::::*
cpe:2.3:a:drupal:drupal:5.12:::::::*
cpe:2.3:a:drupal:drupal:5.13:::::::*
cpe:2.3:a:drupal:drupal:5.14:::::::*
cpe:2.3:a:drupal:drupal:5.15:::::::*
cpe:2.3:a:drupal:drupal:5.16:::::::*
cpe:2.3:a:drupal:drupal:5.17:::::::*
cpe:2.3:a:drupal:drupal:5.18:::::::*
cpe:2.3:a:drupal:drupal:5.19:::::::*
cpe:2.3:a:drupal:drupal:5.20:::::::*
cpe:2.3:a:drupal:drupal:5.x:dev::::::
cpe:2.3:a:drupal:drupal:6.0:::::::*
cpe:2.3:a:drupal:drupal:6.0:beta1::::::
cpe:2.3:a:drupal:drupal:6.0:beta2::::::
cpe:2.3:a:drupal:drupal:6.0:beta3::::::
cpe:2.3:a:drupal:drupal:6.0:beta4::::::
cpe:2.3:a:drupal:drupal:6.0:rc-1::::::
cpe:2.3:a:drupal:drupal:6.0:rc-2::::::
cpe:2.3:a:drupal:drupal:6.0:rc-3::::::
cpe:2.3:a:drupal:drupal:6.0:rc-4::::::
cpe:2.3:a:drupal:drupal:6.1:::::::*
cpe:2.3:a:drupal:drupal:6.2:::::::*
cpe:2.3:a:drupal:drupal:6.3:::::::*
cpe:2.3:a:drupal:drupal:6.4:::::::*
cpe:2.3:a:drupal:drupal:6.5:::::::*
cpe:2.3:a:drupal:drupal:6.6:::::::*
cpe:2.3:a:drupal:drupal:6.7:::::::*
cpe:2.3:a:drupal:drupal:6.8:::::::*
cpe:2.3:a:drupal:drupal:6.9:::::::*
cpe:2.3:a:drupal:drupal:6.10:::::::*
cpe:2.3:a:drupal:drupal:6.11:::::::*
cpe:2.3:a:drupal:drupal:6.12:::::::*
cpe:2.3:a:drupal:drupal:6.13:::::::*
cpe:2.3:a:drupal:drupal:6.14:::::::*

Related information, measures and tools

No	URL	refsource
1	http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch	cve@mitre.org
2	http://drupal.org/node/661586	cve@mitre.org
3	http://secunia.com/advisories/37815	cve@mitre.org
4	http://secunia.com/advisories/37824	cve@mitre.org
5	http://www.madirish.net/?article=441	cve@mitre.org
6	http://www.securityfocus.com/bid/37372	cve@mitre.org
7	https://exchange.xforce.ibmcloud.com/vulnerabilities/54867	cve@mitre.org
8	http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch	af854a3a-2127-422b-91ae-364da2661108
9	http://drupal.org/node/661586	af854a3a-2127-422b-91ae-364da2661108
10	http://secunia.com/advisories/37815	af854a3a-2127-422b-91ae-364da2661108
11	http://secunia.com/advisories/37824	af854a3a-2127-422b-91ae-364da2661108
12	http://www.madirish.net/?article=441	af854a3a-2127-422b-91ae-364da2661108
13	http://www.securityfocus.com/bid/37372	af854a3a-2127-422b-91ae-364da2661108
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/54867	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:drupal:drupal:5.0:::::::*
cpe:2.3:a:drupal:drupal:5.0:beta1::::::
cpe:2.3:a:drupal:drupal:5.0:beta2::::::
cpe:2.3:a:drupal:drupal:5.0:rc1::::::
cpe:2.3:a:drupal:drupal:5.0:rc2::::::
cpe:2.3:a:drupal:drupal:5.1:::::::*
cpe:2.3:a:drupal:drupal:5.2:::::::*
cpe:2.3:a:drupal:drupal:5.4:::::::*
cpe:2.3:a:drupal:drupal:5.5:::::::*
cpe:2.3:a:drupal:drupal:5.6:::::::*
cpe:2.3:a:drupal:drupal:5.7:::::::*
cpe:2.3:a:drupal:drupal:5.8:::::::*
cpe:2.3:a:drupal:drupal:5.9:::::::*
cpe:2.3:a:drupal:drupal:5.10:::::::*
cpe:2.3:a:drupal:drupal:5.11:::::::*
cpe:2.3:a:drupal:drupal:5.12:::::::*
cpe:2.3:a:drupal:drupal:5.13:::::::*
cpe:2.3:a:drupal:drupal:5.14:::::::*
cpe:2.3:a:drupal:drupal:5.15:::::::*
cpe:2.3:a:drupal:drupal:5.16:::::::*
cpe:2.3:a:drupal:drupal:5.17:::::::*
cpe:2.3:a:drupal:drupal:5.18:::::::*
cpe:2.3:a:drupal:drupal:5.19:::::::*
cpe:2.3:a:drupal:drupal:5.20:::::::*
cpe:2.3:a:drupal:drupal:5.x:dev::::::
cpe:2.3:a:drupal:drupal:6.0:::::::*
cpe:2.3:a:drupal:drupal:6.0:beta1::::::
cpe:2.3:a:drupal:drupal:6.0:beta2::::::
cpe:2.3:a:drupal:drupal:6.0:beta3::::::
cpe:2.3:a:drupal:drupal:6.0:beta4::::::
cpe:2.3:a:drupal:drupal:6.0:rc-1::::::
cpe:2.3:a:drupal:drupal:6.0:rc-2::::::
cpe:2.3:a:drupal:drupal:6.0:rc-3::::::
cpe:2.3:a:drupal:drupal:6.0:rc-4::::::
cpe:2.3:a:drupal:drupal:6.1:::::::*
cpe:2.3:a:drupal:drupal:6.2:::::::*
cpe:2.3:a:drupal:drupal:6.3:::::::*
cpe:2.3:a:drupal:drupal:6.4:::::::*
cpe:2.3:a:drupal:drupal:6.5:::::::*
cpe:2.3:a:drupal:drupal:6.6:::::::*
cpe:2.3:a:drupal:drupal:6.7:::::::*
cpe:2.3:a:drupal:drupal:6.8:::::::*
cpe:2.3:a:drupal:drupal:6.9:::::::*
cpe:2.3:a:drupal:drupal:6.10:::::::*
cpe:2.3:a:drupal:drupal:6.11:::::::*
cpe:2.3:a:drupal:drupal:6.12:::::::*
cpe:2.3:a:drupal:drupal:6.13:::::::*
cpe:2.3:a:drupal:drupal:6.14:::::::*