Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Drupal 8.x < 8.2.3 Multiple Vulnerabilites

Medium

Synopsis

The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The version of Drupal installed on the remote server is 8.x prior to 8.2.3, and is affected by multiple vulnerabilities :

- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449) - A flaw exists in the password reset page that is due to the program failing to properly specify the cache context. This may allow a remote attacker to poison the cache and e.g. add unwanted content to the page. (CVE-2016-9450) - A flaw exists in the transliterate mechanism that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to cause a crash. (CVE-2016-9452)

Solution

Upgrade to Drupal 8.2.3 or later.