According to its self-reported version number, the detected Drupal application is affected by a cross-site scripting (XSS) vulnerability in File module/subsystem due to improper sanitization of data in uploaded files.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that missing input sanitising in the file module of Drupal, a fully-featured content management framework, could result in cross-site scripting.

For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-004.

- https://www.drupal.org/project/drupal/releases/7.65

    - https://www.drupal.org/SA-CORE-2019-004

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Drupal Security Team reports :

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

- https://www.drupal.org/project/drupal/releases/8.6.13

    - https://www.drupal.org/SA-CORE-2019-004

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.65, 8.5.x prior to 8.5.14, or 8.6.x prior to 8.6.13. It is, therefore, affected by a cross site scripting (XSS) vulnerability in the File module/subsystem due to improper sanitization of data in uploaded files.

It was discovered that missing input sanitising in the file module of Drupal, a fully-featured content management framework, could result in cross-site scripting.

For Debian 8 'Jessie', this problem has been fixed in version 7.32-1+deb8u16.

We recommend that you upgrade your drupal7 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
98396	Drupal 8.5.x < 8.5.14 Cross-Site Scripting	Web App Scanning	Component Vulnerability	3/21/2019	3/14/2023	medium
98395	Drupal 8.6.x < 8.6.13 Cross-Site Scripting	Web App Scanning	Component Vulnerability	3/21/2019	3/14/2023	medium
98397	Drupal 7.x < 7.65 Cross-Site Scripting	Web App Scanning	Component Vulnerability	3/21/2019	3/14/2023	medium
123022	Debian DSA-4412-1 : drupal7 - security update	Nessus	Debian Local Security Checks	3/25/2019	2/3/2020	medium
123569	Fedora 28 : drupal7 (2019-2fbce03df3)	Nessus	Fedora Local Security Checks	4/2/2019	1/27/2020	medium
123422	FreeBSD : drupal -- Drupal core - Moderately critical - XSS (94d63fd7-508b-11e9-9ba0-4c72b94353b5)	Nessus	FreeBSD Local Security Checks	3/28/2019	1/27/2020	medium
123570	Fedora 29 : drupal7 (2019-35589cfcb5)	Nessus	Fedora Local Security Checks	4/2/2019	1/27/2020	medium
123571	Fedora 28 : drupal8 (2019-79bd99f9a8)	Nessus	Fedora Local Security Checks	4/2/2019	1/27/2020	medium
123006	Drupal 7.x < 7.65 / 8.5.x < 8.5.14 / 8.6.x < 8.6.13 XSS (SA-CORE-2019-004)	Nessus	CGI abuses : XSS	3/22/2019	4/11/2022	medium
123566	Debian DLA-1746-1 : drupal7 security update	Nessus	Debian Local Security Checks	4/2/2019	1/11/2021	medium
123568	Fedora 29 : drupal8 (2019-1d9be4b853)	Nessus	Fedora Local Security Checks	4/2/2019	1/27/2020	medium

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium