Debian DSA-3346-1 : drupal7 - security update

high Nessus Plugin ID 85726

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in Drupal, a content management framework :

- CVE-2015-6658 The form autocomplete functionality did not properly sanitize the requested URL, allowing remote attackers to perform a cross-site scripting attack.

- CVE-2015-6659 The SQL comment filtering system could allow a user with elevated permissions to inject malicious code in SQL comments.

- CVE-2015-6660 The form API did not perform form token validation early enough, allowing the file upload callbacks to be run with untrusted input. This could allow remote attackers to upload files to the site under another user's account.

- CVE-2015-6661 Users without the 'access content' permission could see the titles of nodes that they do not have access to, if the nodes were added to a menu on the site that the users have access to.

- CVE-2015-6665 Remote attackers could perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

Solution

Upgrade the drupal7 packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u11.

For the stable distribution (jessie), these problems have been fixed in version 7.32-1+deb8u5.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-6658

https://security-tracker.debian.org/tracker/CVE-2015-6659

https://security-tracker.debian.org/tracker/CVE-2015-6660

https://security-tracker.debian.org/tracker/CVE-2015-6661

https://security-tracker.debian.org/tracker/CVE-2015-6665

https://packages.debian.org/source/wheezy/drupal7

https://packages.debian.org/source/jessie/drupal7

https://www.debian.org/security/2015/dsa-3346

Plugin Details

Severity: High

ID: 85726

File Name: debian_DSA-3346.nasl

Version: 2.7

Type: local

Agent: unix

Published: 9/2/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:drupal7, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/31/2015

Reference Information

CVE: CVE-2015-6658, CVE-2015-6659, CVE-2015-6660, CVE-2015-6661, CVE-2015-6665

DSA: 3346