8.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.043 Low
EPSS
Percentile
92.4%
A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.
This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.
The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once).
This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.
In Drupal 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.
This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.
For Drupal 8 this is a hardening against possible browser flaws handling certain redirect paths.
An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition.
This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).
A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing.
This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.
The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST[‘destination’] before using it, which allows the function’s open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.
This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.
Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.
This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.
Some specific contributed or custom code may call Drupal’s user_save() API in a manner different than Drupal core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site.
This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.
In certain configurations where a user’s email addresses could be used to log in instead of their username, links to “have you forgotten your password” could reveal the username associated with a particular email address, leading to an information disclosure vulnerability.
This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users’ real-life identities.
On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution.
This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.
Install the latest version:
Also see the Drupal core project page.
File upload access bypass and denial of service:
Brute force amplification attacks via XML-RPC:
Open redirect via path manipulation:
Form API ignores access restrictions on submit buttons:
HTTP header injection using line breaks:
Open redirect via double-encoded ‘destination’ parameter:
Reflected file download vulnerability:
Saving user accounts can sometimes grant the user all roles:
Email address can be matched to an account:
Session data truncation can lead to unserialization of user provided data:
File upload access bypass and denial of service:
Brute force amplification attacks via XML-RPC:
Open redirect via path manipulation:
Form API ignores access restrictions on submit buttons:
HTTP header injection using line breaks:
Open redirect via double-encoded ‘destination’ parameter:
Reflected file download vulnerability:
Saving user accounts can sometimes grant the user all roles:
Email address can be matched to an account:
Session data truncation can lead to unserialization of user provided data:
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/drupal-6.38-release-notes
www.drupal.org/drupal-7.43-release-notes
www.drupal.org/drupal-8.0.4-release-notes
www.drupal.org/project/drupal
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/agerard
www.drupal.org/u/alan-evans
www.drupal.org/u/benjy
www.drupal.org/u/berdir
www.drupal.org/u/catch
www.drupal.org/u/chx
www.drupal.org/u/dalin
www.drupal.org/u/damien-tournoud
www.drupal.org/u/damienmckenna
www.drupal.org/u/dave-cohen
www.drupal.org/u/dave-reid
www.drupal.org/u/david_rothstein
www.drupal.org/u/dmitrig01
www.drupal.org/u/dsnopek
www.drupal.org/u/dstol
www.drupal.org/u/effulgentsia
www.drupal.org/u/fengwen
www.drupal.org/u/fgm
www.drupal.org/u/fnqgpc
www.drupal.org/u/g%C3%A1bor-hojtsy
www.drupal.org/u/greggles
www.drupal.org/u/heine
www.drupal.org/u/htaheem
www.drupal.org/u/john-morahan
www.drupal.org/u/juho-nurminen-2ns
www.drupal.org/u/klausi
www.drupal.org/u/larowlan
www.drupal.org/u/nagba
www.drupal.org/u/pere-orga
www.drupal.org/u/plach
www.drupal.org/u/pwolanin
www.drupal.org/u/quicksketch
www.drupal.org/u/rickmanelius
www.drupal.org/u/scor
www.drupal.org/u/stefan.r
www.drupal.org/u/strykaizer
www.drupal.org/u/sun
www.drupal.org/u/tarpinder
www.drupal.org/u/YesCT
www.drupal.org/u/yesct
www.drupal.org/writing-secure-code
8.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.043 Low
EPSS
Percentile
92.4%