Drupal Security TeamDRUPAL-SA-CORE-2011-001SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%
CVE: CVE-2011-2687
Multiple vulnerabilities and weaknesses were discovered in Drupal.
Reflected cross site scripting vulnerability in error handler
A reflected cross site scripting vulnerability was discovered in Drupalβs error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.
This issue affects Drupal 6.x only.
Cross site scripting vulnerability in Color module
When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the βAdminister themesβ permission.
This issue affects Drupal 6.x and 7.x.
Access bypass in File module
When using private files in combination with a node access module, the File module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
Versions affected
- Drupal 7.x before version 7.1.
- Drupal 6.x before version 6.21.
Solution
Install the latest version:
- If you are running Drupal 7.x then upgrade to Drupal 7.1 or 7.2.
- If you are running Drupal 6.x then upgrade to Drupal 6.21 or 6.22.
The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.1 and Drupal 7.2 or Drupal 6.21 and Drupal 6.22.
See the release announcement for more information.
See also the Drupal core project page.
Reported by
- The reflected cross site scripting vulnerability was reported by Heine Deelstra (*).
- The Color module cross site scripting vulnerability was reported by Kasper Lindgaard, Secunia Research.
- The File access bypass was reported by Hubert Lecorche, and Peter Bex.
Fixed by
- The reflected cross site scripting vulnerability was fixed by Alan Smithee.
- The Color module cross site scripting vulnerability was fixed by StΓ©phane Corlosquet (), Heine Deelstra (), and Peter Wolanin (*).
- The File access bypass was fixed by Heine Deelstra (*).
(*) Member of the Drupal security team.
References
drupal.org/contact
drupal.org/drupal-7.2
drupal.org/node/1168908
drupal.org/node/1168910
drupal.org/node/1168946
drupal.org/node/1168950
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/17943
drupal.org/user/49851
drupal.org/user/52142
drupal.org/writing-secure-code
drupal.org/user/309898
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%