Drupal 7.x < 7.19 Multiple Vulnerabilities

low Nessus Network Monitor Plugin ID 9725

Synopsis

The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The version of Drupal installed on the remote server is 7.x prior to 7.19, and is affected by the following vulnerabilities :

- A flaw exists that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input during DOM element selection. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. (CVE-2013-0244)
- A flaw in the Printer Friendly Version book module may lead to unauthorized disclosure of potentially sensitive information from an arbitrary node. No further details have been provided. (CVE-2013-0245)
- A flaw exists in the Image module due to the program failing to properly give permissions to derivative images. Under certain circumstances, a remote attacker can gain access to derivative images that do not inherit the permissions of the program. (CVE-2013-0246)

Solution

Upgrade to Drupal 7.19 or later.

See Also

http://drupal.org/SA-CORE-2013-001

Plugin Details

Severity: Low

ID: 9725

Family: CGI

Published: 10/28/2016

Updated: 3/6/2019

Nessus ID: 63691, 70401

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 1/16/2013

Vulnerability Publication Date: 1/16/2013

Reference Information

CVE: CVE-2013-0244, CVE-2013-0245, CVE-2013-0246

BID: 57437