Drupal 8.x < 8.2.3 Multiple Vulnerabilites

low Nessus Network Monitor Plugin ID 9821

Synopsis

The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The version of Drupal installed on the remote server is 8.x prior to 8.2.3, and is affected by multiple vulnerabilities :

- A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
- A flaw exists in the password reset page that is due to the program failing to properly specify the cache context. This may allow a remote attacker to poison the cache and e.g. add unwanted content to the page. (CVE-2016-9450)
- A flaw exists in the transliterate mechanism that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to cause a crash. (CVE-2016-9452)

Solution

Upgrade to Drupal 8.2.3 or later.

See Also

https://www.drupal.org/SA-CORE-2016-005

Plugin Details

Severity: Low

ID: 9821

Family: CGI

Published: 12/2/2016

Updated: 3/6/2019

Nessus ID: 95026

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 11/16/2016

Vulnerability Publication Date: 11/16/2016

Reference Information

CVE: CVE-2016-9449, CVE-2016-9450, CVE-2016-9452

BID: 94367