icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Drupal Public Comment PHP Code Injection

High

Synopsis

The remote host is vulnerable to a Script Injection attack.

Description

The remote host is running Drupal, a content management system. This version of Drupal is vulnerable to a flaw in the way that it handles user-supplied 'comments'. Specifically, an attacker can embed PHP script code within a comment that would then be executed by the remote webserver. An attacker exploiting this flaw would only need to post a specially formatted comment via the Drupal web interface.

Solution

Upgrade or patch according to vendor recommendations.