Drupal 7.x < 7.19 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9725

Synopsis

The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The version of Drupal installed on the remote server is 7.x prior to 7.19, and is affected by the following vulnerabilities :

- A flaw exists that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input during DOM element selection. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. (CVE-2013-0244)
- A flaw in the Printer Friendly Version book module may lead to unauthorized disclosure of potentially sensitive information from an arbitrary node. No further details have been provided. (CVE-2013-0245)
- A flaw exists in the Image module due to the program failing to properly give permissions to derivative images. Under certain circumstances, a remote attacker can gain access to derivative images that do not inherit the permissions of the program. (CVE-2013-0246)

Solution

Upgrade to Drupal 7.19 or later.

See Also

http://drupal.org/SA-CORE-2013-001

Plugin Details

Severity: Medium

ID: 9725

Family: CGI

Published: 2016/10/28

Modified: 2016/10/28

Dependencies: 9211

Nessus ID: 63691, 70401

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 3.6

Temporal Score: 3.4

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 2013/01/16

Vulnerability Publication Date: 2013/01/16

Reference Information

CVE: CVE-2013-0244, CVE-2013-0245, CVE-2013-0246

BID: 57437