Multiple serious vulnerabilities have been found in Drupal modules. Malicious users can exploit these vulnerabilities to bypass security restrictions, inject arbitrary code or obtain sensitive information.
Below is a complete list of vulnerabilities
- Open redirect vulnerabilities in Commerce WeDeal, Node basket, Views and Node Invite modules can be exploited remotely via unspecified vectors;
- XSS vulnerabilities in Ajax Timeline, Facebook Album Fetcher, Public Download Count, Taxonomy Tools, Node Access Product, Taxonomy Path, Commerce Balanced Payments, Node basket, Quizzler, Node Invite, Taxonews, Classified Ads, Nodeauthor and Content Analysis modules can be exploited remotely via a specially designed parameters or other unknown vectors;
- Unknown vulnerability in Path Breadcrumbs module can be exploited remotely via a 403 page reading;
- CSRF vulnerabilities in Node basket, Feature Set, Shibboleth Authentication, Corner, Node Invite, Patterns, Alfresco and Contact Form Fields modules can be exploited remotely via an unspecified vectors;
- An improper access restrictions in Views module can be exploited remotely via an unknown vectors;
- Improper token generation in Amazon AWS module can be exploited remotely via an unspecified vectors.
Original advisories
Related products
Drupal
CVE list
CVE-2015-3393 high
CVE-2015-3392 warning
CVE-2015-3391 critical
CVE-2015-3390 warning
CVE-2015-3389 warning
CVE-2015-3388 high
CVE-2015-3387 warning
CVE-2015-3386 warning
CVE-2015-3385 warning
CVE-2015-3384 warning
CVE-2015-3383 high
CVE-2015-3382 high
CVE-2015-3381 warning
CVE-2015-3380 high
CVE-2015-3379 warning
CVE-2015-3378 warning
CVE-2015-3376 warning
CVE-2015-3375 high
CVE-2015-3374 high
CVE-2015-3373 critical
CVE-2015-3372 warning
CVE-2015-3371 high
CVE-2015-3370 high
CVE-2015-3369 warning
CVE-2015-3368 warning
CVE-2015-3367 high
CVE-2015-3366 high
CVE-2015-3365 warning
CVE-2015-3364 warning
CVE-2015-3363 high
Solution
Update to the latest version or check out another plugins to use.
Impacts
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
Code injection. Exploitation of vulnerabilities with this impact can lead to changes in target code.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Affected Products
- Commerce WeDeal versions earlier than 7.x-1.3Ajax Timeline versions earlier than 7.x-1.1Path Breadcrumbs versions earlier than 7.x-3.2Facebook Album Fetcher all versionsPublic Download Count versions earlier than 7.x-1.x-devCommerce Balanced Payments all versionsTaxonomy Tools versions earlier than 7.x-1.4Node Access Product all versionsTaxonomy Path versions earlier than 7.x-1.2Node basket all versionsFeature Set all versionsViews versions earlier than 6.x-2.18Views 6.x-3.x versions earlier than 6.x-3.2Views 7.x-3.x versions earlier than 7.x-3.10Quizzler versions earlier than 7-x.1.16Shibboleth Authentication versions earlier than 6.x-4.1Shibboleth Authentication 7.x-4.x versions earlier than 7.x-4.1Corner all versionsAmazon AWS versions earlier than 7.x-1.3Node Invite versions earlier than6.x-2.5Taxonews versions earlier than 6.x-1.2Taxonews 7.x-1.x versions earlier than 7.x-1.1Classified Ads versions earlier than 6.x-3.1Classified Ads 7.x-3.x versions earlier than 7.x-3.1Patterns versions earlier than 7.x-2.2Alfresco versions earlier than 6.x-1.3Nodeauthor all versionsContent Analysis versions earlier than 6.x-1.7Contact Form Fields versions earlier than 6.x-2.3