Detections
Analytics
Drupal 7.x < 7.80 / 8.9.x < 8.9.14 / 9.x < 9.0.12 / 9.1.x < 9.1.7 XSS (SA-CORE-2021-002)
medium Nessus Plugin ID 148935
Language:
Synopsis
A PHP application running on the remote web server is affected by a vulnerability.Description
According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.80, 8.9.x prior to 8.9.14, 9.x prior to 9.0.12, or 9.1.x prior to 9.1.7. It is, therefore, affected by a vulnerability.- Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible. (SA-CORE-2021-002)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 7.80 / 8.9.14 / 9.0.12 / 9.1.7 or later.See Also
https://www.drupal.org/sa-core-2021-002
https://www.drupal.org/project/drupal/releases/7.80
https://www.drupal.org/project/drupal/releases/8.9.14
Plugin Details
Severity: Medium
ID: 148935
File Name: drupal_9_1_7.nasl
Version: 1.5
Type: remote
Family: CGI abuses
Published: 4/22/2021
Updated: 4/11/2022
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Risk Information
CVSS Score Rationale: No cve assigned
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: manual
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: Settings/ParanoidReport, installed_sw/Drupal
Exploit Ease: No known exploits are available
Patch Publication Date: 4/21/2021
Vulnerability Publication Date: 4/21/2021
Reference Information
IAVA: 2021-A-0200-S