6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
Several vulnerabilities (SA-CORE-2010-001) have been discovered in
drupal6, a fully-featured content management framework.
A user-supplied value is directly output during installation allowing a
malicious user to craft a URL and perform a cross-site scripting attack.
The exploit can only be conducted on sites not yet installed.
The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal site
to send the user to an arbitrarily provided URL.
No user submitted data will be sent to that URL.
Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary administrator
input is allowed.
This vulnerability is mitigated by the fact that the attacker must have a
role with the ‘administer languages’ permission.
Under certain circumstances, a user with an open session that is blocked
can maintain his/her session on the Drupal site, despite being blocked.
For the stable distribution (lenny), these problems have been fixed in
version 6.6-3lenny5.
For the unstable distribution (sid), these problems have been fixed in
version 6.16-1, and will migrate to the testing distribution (squeeze)
shortly.
We recommend that you upgrade your drupal6 package.
CPE | Name | Operator | Version |
---|---|---|---|
drupal6 | eq | 6.6-3lenny3 | |
drupal6 | eq | 6.6-3 | |
drupal6 | eq | 6.6-3lenny2 | |
drupal6 | eq | 6.6-3lenny4 | |
drupal6 | eq | 6.6-3lenny1 |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N