Drupal 7.x < 7.65 / 8.5.x < 8.5.14 / 8.6.x < 8.6.13 XSS (SA-CORE-2019-004)

medium Nessus Plugin ID 123006

Synopsis

A PHP application running on the remote web server is affected by a cross site scripting vulnerability.

Description

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.65, 8.5.x prior to 8.5.14, or 8.6.x prior to 8.6.13. It is, therefore, affected by a cross site scripting (XSS) vulnerability in the File module/subsystem due to improper sanitization of data in uploaded files.

Solution

Upgrade to Drupal version 7.65 / 8.5.14 / 8.6.13 or later.

See Also

https://www.drupal.org/sa-core-2019-004

https://www.drupal.org/project/drupal/releases/7.65

https://www.drupal.org/project/drupal/releases/8.5.14

https://www.drupal.org/project/drupal/releases/8.6.13

Plugin Details

Severity: Medium

ID: 123006

File Name: drupal_8_6_13.nasl

Version: 1.6

Type: remote

Published: 3/22/2019

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Risk Information

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2019-6341

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: installed_sw/Drupal, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2019

Vulnerability Publication Date: 3/20/2019

Reference Information

CVE: CVE-2019-6341

IAVA: 2019-A-0092-S