Drupal 7.x < 7.52 Multiple Vulnerabilites
Medium Nessus Network Monitor Plugin ID 9820
Synopsis
The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.
Description
The version of Drupal installed on the remote server is 7.x prior to 7.52, and is affected by multiple vulnerabilities :
- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
- A flaw exists that allows a cross-site redirection attack. This flaw exists because the confirmation form does not validate certain unspecified input before returning it to the user. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker. (CVE-2016-9451)
Solution
Upgrade to Drupal 7.52 or later.