FreeBSD : drupal -- multiple vulnerabilities (10720fe8-51e0-11e1-91c1-00215c6a37bb)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Drupal development team reports : Cross Site Request Forgery
vulnerability in Aggregator module CVE: CVE-2012-0826

A CSRF vulnerability can force an aggregator feed to update. Since
some services are rate-limited (e.g. Twitter limits requests to 150
per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x. OpenID not verifying signed
attributes in SREG and AX CVE: CVE-2012-0825

A group of security researchers identified a flaw in how some OpenID
relying parties implement Attribute Exchange (AX). Not verifying that
attributes being passed through AX have been signed could allow an
attacker to modify users' information.

This issue affects Drupal 6.x and 7.x. Access bypass in File module
CVE: CVE-2012-0827

When using private files in combination with certain field access
modules, the File module will allow users to download the file even if
they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

See also :

http://www.nessus.org/u?ba134635

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 57857 ()

Bugtraq ID:

CVE ID: CVE-2012-0825
CVE-2012-0826
CVE-2012-0827

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now