|
Description
|
|
(#Several vulnerabilities have been identified in Drupal third-party modules:#- Opening hours: cross-site scripting. A remote attacker could exploit it by enticing their victim into opening a specially crafted link in order to execute arbitrary HTML or JavaScript code. This vulnerability is due to improper validation of user-supplied input##- Registration codes: Access bypass. A remote attacker could exploit it by using a specially formed registration code in order to sign in without authorization. This vulnerability is due to a lack of verification of registration code##- Views Megarow: Access bypass and information disclosure. An attacker could exploit it in order to display sensitive content. This vulnerability is due to a lack of verification of user access permissions##- Dropbox client: cross-site scripting, access bypass, cross-site request forgery as well as information disclosure.##- XML Sitemap: cross-site scripting. A remote attacker could exploit it by enticing their victim into opening a specially crafted link in order to execute arbitrary HTML or JavaScript code. This vulnerability is due to improper validation of user-supplied input##- Page manager search: information disclosure. The module doesn't block access to Page Manager pages which have been disabled##- REST JSON: access bypass and information disclosure##- Node Embed: denial of service. An attacker with a permission to create content could exploit it in order to cause a crash of the application##- Outline designer: cross-site scripting. A remote attacker could exploit it by enticing their victim into opening a specially crafted link in order to execute arbitrary HTML or JavaScript code. This vulnerability is due to improper validation of user-supplied input.)
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
Drupal (Drupal) - 6.x, 7.x
|
|
|
|
|
|
Solution
|
|
- Outline designer: 7.x-2.3
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
- Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027
https://www.drupal.org/node/2728693
- Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029
https://www.drupal.org/node/2728713
- REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033
https://www.drupal.org/node/2744889
- Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035
https://www.drupal.org/node/2745075
- Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032
https://www.drupal.org/node/2744893
- Node Embed - Less critical - Denial of Service - SA-CONTRIB-2016-034
https://www.drupal.org/node/2744917
- XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030
https://www.drupal.org/node/2733537
- Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031
https://www.drupal.org/node/2738707
- Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028
https://www.drupal.org/node/2728711
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
