Drupalgeddon3: Third Critical Flaw Discovered

For the third time in the last 30 days, Drupal site owners are forced to patch their installations. As the Drupal team noted a few days ago, new versions of the Drupal CMS were released, to patch one more critical RCE vulnerability affecting Drupal 7 and 8 core. The vulnerability, code-named...

Drupal Form API command execution

Added: 04/25/2018 CVE: CVE-2018-7600 BID: 103534 Background Drupal is an open-source content management system written in PHP. Problem Insufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. Resolution Upgrade to Drupal 7.58, 8.3.9, 8.4.6,...

Drupal Form API command execution

Added: 04/25/2018 CVE: CVE-2018-7600 BID: 103534 Background Drupal is an open-source content management system written in PHP. Problem Insufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. Resolution Upgrade to Drupal 7.58, 8.3.9, 8.4.6,...

CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

Design/Logic Flaw

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

CVE-2016-3165

The issue CVE-2016-3165 affects Drupal 6.x before 6.38 where the Form API fails to enforce access restrictions on submit buttons. The server-side form definition may mark a button as #access = FALSE, yet a form submission can still be accepted if the attacker has permission to submit the form, ef...

CVE-2016-3165

Removed by vendor...

FreeBSD : drupal -- multiple vulnerabilities (59a0af97-dbd4-11e5-8fa8-14dae9d210b8)

Drupal Security Team reports : - File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical - Brute force amplification attacks via XML-RPC XML-RPC server - Drupal 6 and 7 - Moderately Critical - Open redirect via path manipulation Base system - Drupal 6, 7...

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001

File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted...

drupal -- multiple vulnerabilities

Drupal Security Team reports: File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical Brute force amplification attacks via XML-RPC XML-RPC server - Drupal 6 and 7 - Moderately Critical Open redirect via path manipulation Base system - Drupal 6, 7 and 8 ...

Form API ignores access restrictions on submit buttons

More info at https://www.drupal.org/SA-CORE-2016-001...

Form API ignores access restrictions on submit buttons

More info at https://www.drupal.org/SA-CORE-2016-001...

Fedora 22 : drupal6-6.37-1.fc22 (2015-14444)

"Maintenance and security release of the Drupal 6 series. This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement: Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003 No other fixes are...

Fedora 23 : drupal6-6.37-1.fc23 (2015-14443)

"Maintenance and security release of the Drupal 6 series. This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement: Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003 No other fixes are...

Drupal 6.x < 6.37, 7.x < 7.39 Multiple Vulnerabilities (SA-CORE-2015-003) - Windows

Drupal is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:drupal:drupal"; ifdescription...

Updated drupal packages fix security vulnerabilities

Cross-site scripting XSS vulnerability in the Autocomplete system in Drupal before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files CVE-2015-6658. SQL injection vulnerability in the SQL comment filtering system in the Database API i...

CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."...

CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."...