According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.86, 9.2.x prior to 9.2.11, or 9.3.x prior to 9.3.3. It is, therefore, affected by multiple vulnerabilities.

  - Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before     1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
    (CVE-2010-5312)

  - Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject     arbitrary web script or HTML via the closeText parameter of the dialog function. (CVE-2016-7103)

  - jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of     the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The     issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a     CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
    (CVE-2021-41182)

  - jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of     various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The     issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as     pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted     sources. (CVE-2021-41183)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Drupal 7.x < 7.86 / 9.2.x < 9.2.11 / 9.3.x < 9.3.3 Multiple Vulnerabilities (drupal-2022-01-19)

medium Nessus Plugin ID 156863

Version 1.8

Version 1.7

Version 1.8 Nov 21, 2023, 1:14 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202311210114
Version 1.7 Dec 6, 2022, 2:54 AM Reference Plugin Feed: 202212060254