4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
CMS Updater allows to update Drupal core automatically with a subscription service.
Access bypass
The module does not sufficiently protect the settings page allowing any user with the permission “access administration pages” to change settings.
This vulnerability is mitigated by the fact that an attacker must have the “access administration pages” permission on the site.
Cross Site Scripting (XSS)
The module does not sanitize user provided text on the configuration page thereby exposing a cross site scripting vulnerability.
There are no mitigating factors for the cross site scripting.
Drupal core is not affected. If you do not use the contributed CMS Updater module, there is nothing you need to do.
Install the latest version:
Also see the CMS Updater project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2569111
www.drupal.org/project/cms_updater
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/bofrost
www.drupal.org/user/262198
www.drupal.org/writing-secure-code