7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%
CVE: CVE-2011-2687
Multiple vulnerabilities and weaknesses were discovered in Drupal.
A reflected cross site scripting vulnerability was discovered in Drupalβs error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.
This issue affects Drupal 6.x only.
When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the βAdminister themesβ permission.
This issue affects Drupal 6.x and 7.x.
When using private files in combination with a node access module, the File module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
Install the latest version:
The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.1 and Drupal 7.2 or Drupal 6.21 and Drupal 6.22.
See the release announcement for more information.
See also the Drupal core project page.
(*) Member of the Drupal security team.
drupal.org/contact
drupal.org/drupal-7.2
drupal.org/node/1168908
drupal.org/node/1168910
drupal.org/node/1168946
drupal.org/node/1168950
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/17943
drupal.org/user/49851
drupal.org/user/52142
drupal.org/writing-secure-code
drupal.org/user/309898