The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities :

 - An information disclosure vulnerability exists in the taxonomy module when using access query tags that are inconsistent with the standard system used by Drupal Core. An unauthenticated, remote attacker can exploit this to disclose sensitive information regarding taxonomy terms. (CVE-2016-9449)

 - A flaw exists in the password reset form due to a failure to properly specify a cache context. An unauthenticated, remote attacker can exploit this to poison the cache, by adding, for example, unwanted content to the page. Note that this issue only affects version 8.x. (CVE-2016-9450)

 - A cross-site redirection vulnerability exists in the confirmation form due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to redirect the user to a website of the attacker's choosing. Note that this issue only affects version 7.x. (CVE-2016-9451)

 - A denial of service vulnerability exists in the transliterate mechanism when handling specially crafted URLs. An unauthenticated, remote attacker can exploit this to cause a crash. Note that this issue only affects version 8.x. (CVE-2016-9452)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Drupal installed on the remote server is 8.x prior to 8.2.3, and is affected by multiple vulnerabilities :

 - A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
 - A flaw exists in the password reset page that is due to the program failing to properly specify the cache context. This may allow a remote attacker to poison the cache and e.g. add unwanted content to the page. (CVE-2016-9450)
 - A flaw exists in the transliterate mechanism that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to cause a crash. (CVE-2016-9452)

The version of Drupal installed on the remote server is 7.x prior to 7.52, and is affected by multiple vulnerabilities :

 - A flaw exists in the taxonomy module that is triggered by its use of access query tags inconsistent with the standard system used by Drupal Core. This may potentially result in a remote attacker being able to gain access to sensitive information regarding taxonomy terms. (CVE-2016-9449)
 - A flaw exists that allows a cross-site redirection attack. This flaw exists because the confirmation form does not validate certain unspecified input before returning it to the user. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker. (CVE-2016-9451)

https://www.drupal.org/SA-CORE-2016-005

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Drupal development team reports : Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8) Drupal provides a mechanism to alter database SELECT queries before they are executed.
Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access).
However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference.
Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8) The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7) Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks. Denial of service via transliterate mechanism (Moderately critical - Drupal 8) A specially crafted URL can cause a denial of service via the transliterate mechanism.

Multiple vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/SA-CORE-2016-005.

For Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u15.

We recommend that you upgrade your drupal7 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Drupal running on the remote web server is 7.x prior to 7.52 or 8.x prior to 8.2.3. It is, therefore, affected by the multiple vulnerabilities :

  - An information disclosure vulnerability exists in the     taxonomy module when using access query tags that are     inconsistent with the standard system used by Drupal     Core. An unauthenticated, remote attacker can exploit     this to disclose sensitive information regarding     taxonomy terms. (CVE-2016-9449)

  - A flaw exists in the password reset form due to a     failure to properly specify a cache context. An     unauthenticated, remote attacker can exploit this to     poison the cache, by adding, for example, unwanted     content to the page. Note that this issue only     affects version 8.x. (CVE-2016-9450)

  - A cross-site redirection vulnerability exists in the     confirmation form due to improper validation of input     before returning it to users. An unauthenticated, remote     attacker can exploit this, via a specially crafted link,     to redirect the user to a website of the attacker's     choosing. Note that this issue only affects version     7.x. (CVE-2016-9451)

  - A denial of service vulnerability exists in the     transliterate mechanism when handling specially crafted     URLs. An unauthenticated, remote attacker can exploit     this to cause a crash. Note that this issue only affects     version 8.x. (CVE-2016-9452)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities has been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/SA-CORE-2016-005

ID	Name	Product	Family	Severity
98553	Drupal 7.x < 7.52 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
98552	Drupal 8.x < 8.2.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
9821	Drupal 8.x < 8.2.3 Multiple Vulnerabilites	Nessus Network Monitor	CGI	low
9820	Drupal 7.x < 7.52 Multiple Vulnerabilites	Nessus Network Monitor	CGI	medium
95417	Fedora 23 : drupal7 (2016-ff9a74c6dc)	Nessus	Fedora Local Security Checks	medium
95406	Fedora 25 : drupal7 (2016-95b1be8a3d)	Nessus	Fedora Local Security Checks	medium
95403	Fedora 24 : drupal7 (2016-1cc5edde49)	Nessus	Fedora Local Security Checks	medium
95365	FreeBSD : Drupal Code -- Multiple Vulnerabilities (8db24888-b2f5-11e6-8153-00248c0c745d)	Nessus	FreeBSD Local Security Checks	high
95031	Debian DLA-715-1 : drupal7 security update	Nessus	Debian Local Security Checks	medium
95026	Drupal 7.x < 7.52 / 8.x < 8.2.3 Multiple Vulnerabilities	Nessus	CGI abuses	high
94943	Debian DSA-3718-1 : drupal7 - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2016-9449

medium

Tenable Plugins

high

high

low

medium

medium

medium

medium

high

medium

high

medium