Detections
Analytics

Drupal 7.x < 7.13 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9724

Synopsis

The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The version of Drupal installed on the remote server is 7.x prior to 7.13, and is affected by the following vulnerabilities :

 - A flaw exists that may allow a remote denial of service. The issue is triggered by a weakness in the text matching pattern, which will result in a memory exhaustion when parsing certain strings. This will result in loss of availability for the application. (CVE-2012-1588)
 - A flaw may lead to an unauthorized information disclosure. The issue is triggered when the program fails to confirm that a submitted form destination URL is an internal site, which may redirect login information to a remote attacker. (CVE-2012-1589)
 - A flaw may lead to an unauthorized information disclosure. The issue is triggered when the program does not properly confirm user access when parsing image style page requests, which will disclose image derivatives to a remote attacker. (CVE-2012-1591)
 - A flaw may lead to an unauthorized information disclosure. The issue is triggered when Drupal fails to validate a user's access level when viewing a page, which may disclose unpublished nodes to a remote attacker. (CVE-2012-2153)

Solution

Upgrade to Drupal 7.13 or later.

See Also

http://drupal.org/node/1557938

Plugin Details

Severity: Medium

ID: 9724

Family: CGI

Published: 10/28/2016

Updated: 3/6/2019

Nessus ID: 66088

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 5/2/2012

Vulnerability Publication Date: 5/2/2012

Reference Information

CVE: CVE-2012-1588, CVE-2012-1589, CVE-2012-1591, CVE-2012-2153

BID: 53359, 53362, 53365, 53368