Detections
Analytics
Drupal 6.x < 6.37 Multiple Vulnerabilities
medium Nessus Network Monitor Plugin ID 9215
Synopsis
The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.Description
The remote server is hosting an outdated version of Drupal, a PHP-based open-source content management system. The version of Drupal installed on the remote server is 6.x prior to 6.37, and is affected by the following vulnerabilities :- A cross-site scripting (XSS) vulnerability exists in the autocomplete functionality due to improper validation of input passed via requested URLs. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code. (CVE-2015-6658)
- A cross-site request forgery (CSRF) vulnerability exists in the form API due to improper validation of form tokens. An authenticated, remote attacker can exploit this, via a specially crafted link, to upload arbitrary files under another user's account. (CVE-2015-6660)
- An information disclosure vulnerability exists that allows a remote, authenticated user to view the titles of nodes that they do not have access to. (CVE-2015-6661)
Solution
Upgrade to Drupal 6.37, or later.See Also
https://www.drupal.org/SA-CORE-2015-003
Plugin Details
Severity: Medium
ID: 9215
Family: CGI
Published: 4/8/2016
Updated: 3/6/2019
Nessus ID: 85652
Risk Information
VPR
Risk Factor: Medium
Score: 5.8
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Temporal Score: 5.4
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Patch Publication Date: 8/19/2015
Vulnerability Publication Date: 8/19/2015