Detections
Analytics
Drupal 10.3.x < 10.3.13 / 10.3.x < 10.3.13 / 10.4.x < 10.4.3 / 10.4.x < 10.4.3 / 11.x < 11.0.12 / 11.x < 11.0.12 / 11.1.x < 11.1.3 / 11.1.x < 11.1.3 Multiple Vulnerabilities (drupal-2025-02-19)
high Nessus Plugin ID 216497
Language:
Synopsis
A PHP application running on the remote web server is affected by multiple vulnerabilities.Description
According to its self-reported version, the instance of Drupal running on the remote web server is 10.3.x prior to 10.3.13, 10.3.x prior to 10.3.13, 10.4.x prior to 10.4.3, 10.4.x prior to 10.4.3, 11.x prior to 11.0.12, 11.x prior to 11.0.12, 11.1.x prior to 11.1.3, or 11.1.x prior to 11.1.3. It is, therefore, affected by multiple vulnerabilities.- Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. (SA-CORE-2025-003)
- Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes. This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes. In particular, the bulk operations Make content sticky Make content unsticky Promote content to front page Publish content Remove content from front page Unpublish content now require the Administer content permission. (SA- CORE-2025-002)
- Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS). Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future. (SA-CORE-2025-001)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 10.3.13 / 10.3.13 / 10.4.3 / 10.4.3 / 11.0.12 / 11.0.12 / 11.1.3 / 11.1.3 or later.See Also
https://www.drupal.org/sa-core-2025-003
https://www.drupal.org/project/drupal/releases/10.3.13
https://www.drupal.org/project/drupal/releases/10.4.3
https://www.drupal.org/project/drupal/releases/11.0.12
https://www.drupal.org/project/drupal/releases/11.1.3
https://www.drupal.org/psa-2021-06-29
https://www.drupal.org/psa-2023-11-01
https://www.drupal.org/sa-core-2025-002
Plugin Details
Severity: High
ID: 216497
File Name: drupal_11_1_3.nasl
Version: 1.1
Type: remote
Family: CGI abuses
Published: 2/19/2025
Updated: 2/19/2025
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: installed_sw/Drupal, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 2/19/2025
Vulnerability Publication Date: 2/19/2025