4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
49.0%
According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities :
A flaw exists that is due to the program allowing users who have rights to edit a node to set the visibility for comments on that node. This may allow an authenticated remote attacker to adjust a node’s comment visibility preferences without the appropriate privileges. (CVE-2016-7570)
A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling HTTP exception messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2016-7571)
A flaw exists related to the ‘system.temporary’ route that may allow an authenticated remote attacker to download the full config export without the appropriate privileges. This may allow the attacker to gain unauthorized access to sensitive information. (CVE-2016-7572)
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7570
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7571
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7572
www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2016-09-21/drupal-core-critical-multiple
www.drupal.org/project/drupal/releases/8.2.0-rc2
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
49.0%