CVE 2009-2374
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
Related bugs and status
CVE-2009-2374 (Candidate) is related to these bugs:
Bug #352644: generally unsecure drupal5 packages
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 352644 | generally unsecure drupal5 packages | drupal5 (Ubuntu) | Undecided | Invalid | ||
Bug #395004: Drupal 6.13 released to fix moderately critical security vulnerability
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 395004 | Drupal 6.13 released to fix moderately critical security vulnerability | drupal6 (Ubuntu) | Medium | Invalid | ||
| 395004 | Drupal 6.13 released to fix moderately critical security vulnerability | drupal6 (Ubuntu Jaunty) | Medium | Invalid | ||
| 395004 | Drupal 6.13 released to fix moderately critical security vulnerability | drupal6 (Ubuntu Karmic) | Medium | Invalid | ||
Bug #395006: Drupal 5.19 released to fix moderately critical security vulnerability
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 395006 | Drupal 5.19 released to fix moderately critical security vulnerability | drupal5 (Ubuntu) | Medium | Invalid | ||
| 395006 | Drupal 5.19 released to fix moderately critical security vulnerability | drupal5 (Ubuntu Hardy) | Medium | Invalid | ||
| 395006 | Drupal 5.19 released to fix moderately critical security vulnerability | drupal5 (Ubuntu Intrepid) | Medium | Invalid | ||
| 395006 | Drupal 5.19 released to fix moderately critical security vulnerability | drupal5 (Ubuntu Karmic) | Medium | Invalid | ||
| 395006 | Drupal 5.19 released to fix moderately critical security vulnerability | drupal5 (Ubuntu Jaunty) | Medium | Invalid | ||
Bug #431080: Fix critical security issues in drupal packages
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 431080 | Fix critical security issues in drupal packages | drupal5 (Ubuntu) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal5 (Ubuntu Hardy) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal5 (Ubuntu Intrepid) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal5 (Ubuntu Jaunty) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal5 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal5 (Debian) | Unknown | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Ubuntu) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Ubuntu Hardy) | Undecided | Invalid | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Ubuntu Intrepid) | Undecided | Invalid | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Ubuntu Jaunty) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 431080 | Fix critical security issues in drupal packages | drupal6 (Debian) | Unknown | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
