CVE-2009-2374

Name of the Vulnerable Software and Affected Versions Drupal versions 5.x before 5.19 Drupal versions 6.x before 6.13

Description The issue arises from improper sanitization of failed login attempts for pages containing sortable tables. This can lead to the exposure of usernames and passwords through two main vectors: (1) the HTTP referer header of external web sites that are visited from those links, (2) when page caching is enabled, the Drupal page cache.

Recommendations For Drupal versions 5.x before 5.19, update to version 5.19 or later to resolve the issue. For Drupal versions 6.x before 6.13, update to version 6.13 or later to resolve the issue.