Drupal 10.5.x < 10.5.9 / 10.6.x < 10.6.7 / 11.2.x < 11.2.11 / 11.3.x < 11.3.7 Multiple Vulnerabilities (drupal-2026-04-15)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(306602);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/20");

  script_cve_id("CVE-2026-6365", "CVE-2026-6366", "CVE-2026-6367");
  script_xref(name:"IAVA", value:"2026-A-0361");

  script_name(english:"Drupal 10.5.x < 10.5.9 / 10.6.x < 10.6.7 / 11.2.x < 11.2.11 / 11.3.x < 11.3.7 Multiple Vulnerabilities (drupal-2026-04-15)");

  script_set_attribute(attribute:"synopsis", value:
"A PHP application running on the remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of Drupal running on the remote web server is 10.5.x prior to
10.5.9, 10.6.x prior to 10.6.7, 11.2.x prior to 11.2.11, or 11.3.x prior to 11.3.7. It is, therefore, affected by
multiple vulnerabilities.

  - Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain
    options, which which can lead to a cross-site scripting (XSS) vulnerability. (CVE-2026-6365)

  - Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The
    suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting
    attack against another user. (CVE-2026-6367)

  - Drupal core contains a chain of methods that could be exploitable when an insecure deserialization
    vulnerability exists on the site. This so-called gadget chain presents no direct threat, but is a vector
    that can be used to achieve remote code execution or SQL injection if the application deserializes
    untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is
    mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to
    allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
    (CVE-2026-6366)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-003");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/11.3.7");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-002");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/10.5.9");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/10.6.7");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/11.2.11");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/psa-2021-06-29");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/psa-2023-11-01");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-001");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Drupal version 10.5.9 / 10.6.7 / 11.2.11 / 11.3.7 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-6365");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/16");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("drupal_detect.nasl");
  script_require_keys("installed_sw/Drupal", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf.inc');
include('http.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

var port = get_http_port(default:80, php:TRUE);

var app_info = vcf::get_app_info(app:'Drupal', port:port, webapp:TRUE);

vcf::check_granularity(app_info:app_info, sig_segments:2);

var constraints = [
  { 'min_version' : '10.5.0', 'fixed_version' : '10.5.9' },
  { 'min_version' : '10.6.0', 'fixed_version' : '10.6.7' },
  { 'min_version' : '11.2.0', 'fixed_version' : '11.2.11' },
  { 'min_version' : '11.3.0', 'fixed_version' : '11.3.7' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING,
    flags:{'sqli':TRUE, 'xss':TRUE}
);