Drupal 7.x < 7.52 Multiple Vulnerabilites

Medium Nessus Network Monitor Plugin ID 9820


The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.


The version of Drupal installed on the remote server is 7.x prior to 7.52, and is affected by multiple vulnerabilities :

- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
- A flaw exists that allows a cross-site redirection attack. This flaw exists because the confirmation form does not validate certain unspecified input before returning it to the user. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker. (CVE-2016-9451)


Upgrade to Drupal 7.52 or later.

See Also



Plugin Details

Severity: Medium

ID: 9820

Family: CGI

Published: 2016/12/02

Updated: 2019/03/06

Dependencies: 9211

Nessus ID: 95026

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 4

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 4.2

Temporal Score: 4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 2016/11/16

Vulnerability Publication Date: 2016/11/16

Reference Information

CVE: CVE-2016-9449, CVE-2016-9451

BID: 94367