7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
80.5%
This security advisory fixes multiple vulnerabilities. See below for a list.
A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.
This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.
Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.
A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.
A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.
This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.
A vulnerability was discovered in Drupal’s form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user’s account.
This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.
Users without the “access content” permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
Install the latest version:
Also see the Drupal core project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/drupal-6.37-release-notes
www.drupal.org/drupal-7.39-release-notes
www.drupal.org/node/2554145
www.drupal.org/project/drupal
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/abdullah-hussam
www.drupal.org/u/benjy
www.drupal.org/u/crell
www.drupal.org/u/csabot3
www.drupal.org/u/David_Rothstein
www.drupal.org/u/david_rothstein
www.drupal.org/u/droplet
www.drupal.org/u/effulgentsia
www.drupal.org/u/g%C3%A1bor-hojtsy
www.drupal.org/u/greggles
www.drupal.org/u/ircmaxell
www.drupal.org/u/larowlan
www.drupal.org/u/matt2000
www.drupal.org/u/meichr
www.drupal.org/u/nod_
www.drupal.org/u/pere-orga
www.drupal.org/u/pwolanin
www.drupal.org/u/regilero
www.drupal.org/u/samuel.mortenson
www.drupal.org/u/scor
www.drupal.org/u/tim.plunkett
www.drupal.org/u/wim-leers
www.drupal.org/u/yesct
www.drupal.org/u/znerol
www.drupal.org/user/2301194
www.drupal.org/user/49851
www.drupal.org/user/78040
www.drupal.org/writing-secure-code