4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.3%
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.
jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.
Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.
CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)
A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.
This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the ‘access printer-friendly version’ permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.
CVE: CVE-2013-0245
Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on “image styles” and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.
This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.
CVE: CVE-2013-0246
Install the latest version:
Also see the Drupal core project page.
drupal.org/contact
drupal.org/drupal-6.28-release-notes
drupal.org/drupal-7.19-release-notes
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/124982
drupal.org/user/148199
drupal.org/user/1605796
drupal.org/user/172987
drupal.org/user/17943
drupal.org/user/1924632
drupal.org/user/204187
drupal.org/user/22211
drupal.org/user/245825
drupal.org/user/264148
drupal.org/user/36762
drupal.org/user/4166
drupal.org/user/426416
drupal.org/user/49851
drupal.org/user/52142
drupal.org/user/598310
drupal.org/user/748566
drupal.org/user/855656
drupal.org/user/96647
drupal.org/writing-secure-code
www.openwall.com/lists/oss-security/2013/01/31/3