Drupal 8.x < 8.2.3 Multiple Vulnerabilites

medium Nessus Network Monitor Plugin ID 9821


The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.


The version of Drupal installed on the remote server is 8.x prior to 8.2.3, and is affected by multiple vulnerabilities :

- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
- A flaw exists in the password reset page that is due to the program failing to properly specify the cache context. This may allow a remote attacker to poison the cache and e.g. add unwanted content to the page. (CVE-2016-9450)
- A flaw exists in the transliterate mechanism that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to cause a crash. (CVE-2016-9452)


Upgrade to Drupal 8.2.3 or later.

See Also


Plugin Details

Severity: Medium

ID: 9821

Family: CGI

Published: 12/2/2016

Updated: 3/6/2019

Dependencies: 9212

Nessus ID: 95026

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Patch Publication Date: 11/16/2016

Vulnerability Publication Date: 11/16/2016

Reference Information

CVE: CVE-2016-9449, CVE-2016-9450, CVE-2016-9452

BID: 94367