Detections
Analytics

FreeBSD : drupal -- multiple vulnerabilities (59a0af97-dbd4-11e5-8fa8-14dae9d210b8)

high Nessus Plugin ID 88977

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Drupal Security Team reports :

- File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical)

- Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical)

- Open redirect via path manipulation (Base system - Drupal 6, 7 and 8
- Moderately Critical)

- Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical)

- HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical)

- Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical)

- Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical)

- Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical)

- Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical)

- Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical)

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?63dc5eac

http://www.nessus.org/u?44e6fe34

Plugin Details

Severity: High

ID: 88977

File Name: freebsd_pkg_59a0af97dbd411e58fa814dae9d210b8.nasl

Version: 2.4

Type: local

Published: 2/26/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal6, p-cpe:/a:freebsd:freebsd:drupal7, p-cpe:/a:freebsd:freebsd:drupal8, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/25/2016

Vulnerability Publication Date: 2/24/2016