SynopsisThe remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.
DescriptionThe version of Drupal installed on the remote server is 7.x prior to 7.13, and is affected by the following vulnerabilities :
- A flaw exists that may allow a remote denial of service. The issue is triggered by a weakness in the text matching pattern, which will result in a memory exhaustion when parsing certain strings. This will result in loss of availability for the application. (CVE-2012-1588)
- A flaw may lead to an unauthorized information disclosure. The issue is triggered when the program fails to confirm that a submitted form destination URL is an internal site, which may redirect login information to a remote attacker. (CVE-2012-1589)
- A flaw may lead to an unauthorized information disclosure. The issue is triggered when the program does not properly confirm user access when parsing image style page requests, which will disclose image derivatives to a remote attacker. (CVE-2012-1591)
- A flaw may lead to an unauthorized information disclosure. The issue is triggered when Drupal fails to validate a user's access level when viewing a page, which may disclose unpublished nodes to a remote attacker. (CVE-2012-2153)
SolutionUpgrade to Drupal 7.13 or later.