Drupal 8.x < 8.2.3 Multiple Vulnerabilites
Medium Nessus Network Monitor Plugin ID 9821
SynopsisThe remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.
DescriptionThe version of Drupal installed on the remote server is 8.x prior to 8.2.3, and is affected by multiple vulnerabilities :
- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
- A flaw exists in the password reset page that is due to the program failing to properly specify the cache context. This may allow a remote attacker to poison the cache and e.g. add unwanted content to the page. (CVE-2016-9450)
- A flaw exists in the transliterate mechanism that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to cause a crash. (CVE-2016-9452)
SolutionUpgrade to Drupal 8.2.3 or later.