CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%
The Open Semantic Framework (OSF) for Drupal is a middleware layer that allows structured data (RDF) and associated vocabularies (ontologies) to “drive” tailored tools and data displays within Drupal.
The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected.
Additionally, the module is vulnerable to Arbitrary file deletion. A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected.
Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator’s browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.
Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.
Install the latest version:
Also see the OSF for Drupal project page.