The remote server is hosting an outdated version of Drupal, a PHP-based open-source content management system. The version of Drupal installed on the remote server is 7.x prior to 7.38, and is affected by the following vulnerabilities :
- An open redirect vulnerability exists due to improper validation of user-supplied input to the ‘destinations’ parameter in the Field UI module. A remote attacker can exploit this issue, via a specially crafted URL, to redirect users to a third-party website. (CVE-2015-3231)
- An open redirect vulnerability exists due to improper validation of URLs prior displaying their contents via the Overlay module on administrative pages. (CVE-2015-3232)
- An information disclosure vulnerability exists due to a flaw in the render cache system. An attacker can exploit this flaw to view private content of arbitrary users. (CVE-2015-3233)
- A security bypass vulnerability exists due to a flaw in the OpenID module. A remote attacker can exploit this flaw to log in as other users, including administrators. Note that victims must have an existing OpenID account from a particular set of OpenID providers including, but not limited to, Verisign, LiveJournal, or StackExchange. (CVE-2015-3234)