Debian DSA-958-1 : drupal - several vulnerabilities

medium Nessus Plugin ID 22824

Synopsis

The remote Debian host is missing a security-related update.

Description

Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

- CVE-2005-3973 Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML.

- CVE-2005-3974 When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the 'access user profiles' permission.

- CVE-2005-3975 An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension.

Solution

Upgrade the drupal package.

The old stable distribution (woody) does not contain drupal packages.

For the stable distribution (sarge) these problems have been fixed in version 4.5.3-5.

Plugin Details

Severity: Medium

ID: 22824

File Name: debian_DSA-958.nasl

Version: 1.19

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:drupal, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/27/2006

Vulnerability Publication Date: 9/22/2005

Reference Information

CVE: CVE-2005-3310, CVE-2005-3477, CVE-2005-3973, CVE-2005-3974, CVE-2005-3975, CVE-2005-4426

BID: 15663, 15674, 15677

DSA: 958

Detections

Analytics