CVE-2009-4371

Name of the Vulnerable Software and Affected Versions Drupal Core versions 6.14 through 6.15

Description A cross-site scripting (XSS) issue exists in the Locale module, allowing remote authenticated users with administer languages permissions to inject arbitrary web script or HTML via the Language name in English or Native language name fields in the Custom language form.

Recommendations For versions 6.14 through 6.15, update to a version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Custom language form for users with administer languages permissions until a patch is available. Avoid using the Language name in English and Native language name fields in the affected form until the issue is resolved.