Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.810959
Category:Web application abuses
Title:Drupal Core Multiple Vulnerabilities (SA-CORE-2017-003) - Linux
Summary:Drupal is prone to multiple vulnerabilities.
Description:Summary:
Drupal is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- PECL YAML parser does not handle PHP objects safely during certain
operations within Drupal core.

- The file REST resource does not properly validate some fields when
manipulating files.

- Private files that have been uploaded by an anonymous user but not
permanently attached to content on the site is visible to the anonymous
user, Drupal core did not provide sufficient protection.

Vulnerability Impact:
Successful exploitation will allow remote
attackers to execute arbitrary code, get or register a user account on the
site with permissions to upload files into a private file system and
modify the file resource.

Affected Software/OS:
Drupal core version 7.x versions prior to
7.56 and 8.x versions prior to 8.3.4.

Solution:
Upgrade to Drupal core version 7.56 or
8.3.4 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: BugTraq ID: 99211
BugTraq ID: 99222
BugTraq ID: 99219
Common Vulnerability Exposure (CVE) ID: CVE-2017-6920
http://www.securityfocus.com/bid/99211
http://www.securitytracker.com/id/1038781
Common Vulnerability Exposure (CVE) ID: CVE-2017-6921
http://www.securityfocus.com/bid/99222
Common Vulnerability Exposure (CVE) ID: CVE-2017-6922
http://www.securityfocus.com/bid/99219
Debian Security Information: DSA-3897 (Google Search)
https://www.debian.org/security/2017/dsa-3897
CopyrightCopyright (C) 2017 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.