Detections
Analytics

Drupal 7.x < 7.44 / 8.1.x < 8.1.3 User Module Account Saving Improper Role Assignment Remote Issue

high Nessus Network Monitor Plugin ID 9399

Synopsis

The remote server is hosting an outdated installation of Drupal that is affected by a privilege escalation vulnerability.

Description

Versions of Drupal 7.x prior to 7.44, or 8.1.x prior to 8.1.3 are unpatched, and therefore affected by a flaw in the 'User' module. The flaw is triggered when saving user accounts, as the user may incorrectly be granted 'all user' roles on the site. This may allow an authenticated, remote attacker to potentially gain elevated privileges.

Solution

Upgrade to Drupal 8.1.3 or later. If 8.1.3 cannot be obtained, version 7.44 is also patched for this vulnerability.

See Also

https://www.drupal.org/SA-CORE-2016-002

https://www.drupal.org/project/drupal/releases/7.44

https://www.drupal.org/project/drupal/releases/8.1.3

Plugin Details

Severity: High

ID: 9399

Family: CGI

Published: 7/18/2016

Updated: 3/6/2019

Nessus ID: 91781

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 6/15/2016

Vulnerability Publication Date: 6/15/2016