SCA: security update for drupal/core, drupal/drupal (GHSA-5vpr-v24w-mmjj)

medium Tenable Cloud Security Plugin ID 434601

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains.
This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to
exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to
jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version
that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the
site, for example using the jQuery Update module. (CVE-2017-6929)

See Also

https://github.com/advisories/GHSA-5vpr-v24w-mmjj

Plugin Details

Severity: Medium

ID: 434601

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-6929

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2022

Vulnerability Publication Date: 2/21/2018

Reference Information

CVE: CVE-2017-6929

cwe: CWE-79