Synopsis
A PHP application running on the remote web server is affected by multiple vulnerabilities.
Description
According to its self-reported version, the instance of Drupal running on the remote web server is 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6, or 9.0.x prior to 9.0.6. It is, therefore, affected by multiple vulnerabilities:
- An information disclosure vulnerability exists in the File module. An authenticated, remote attacker can exploit this, to disclose file metadata. (CVE-2020-13670).
- An authentication bypass vulnerability exists in the Workspaces module due to insufficient checks on assigned permissions. An unauthenticated, remote attacker can exploit this, by sending specially crafted requests, to access restricted content before an administrator has made it publicly available (CVE-2020-13667).
- A cross-site scripting (XSS) vulnerability exists in an undisclosed component of Drupal due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2020-13368).
- A cross-site scripting (XSS) vulnerability exists in the CKEditor image caption functionality due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2020-13369).
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 8.8.10 / 8.9.6 / 9.0.6 or later.
Plugin Details
File Name: drupal_9_0_6.nasl
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: installed_sw/Drupal, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 9/16/2020
Vulnerability Publication Date: 9/16/2020