Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2015-175
HistoryDec 16, 2015 - 12:00 a.m.

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

2015-12-1600:00:00
Drupal Security Team
www.drupal.org
1

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

This module enables you to add custom classes to blocks.
The module doesn’t sufficiently scrub class names written by a malicious block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer block classes”.

CVE identifier(s) issued

  • CVE-2016-3144

Versions affected

  • block_class 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the block_class module for Drupal 7.x, upgrade to block_class 7.x-2.2

Also see the Block Class project page.

Reported by

Fixed by

Coordinated by

Related

nvd 1
openvas 3
prion 1
cvelist 1
nessus 3
cve 1
fedora 3
nvd
nvd
CVE-2016-3144
2016-04-15 15:59:02
openvas
openvas
Fedora Update for drupal7-block_class FEDORA-2016-687
2016-04-18 00:00:00
Fedora Update for drupal7-block_class FEDORA-2016-8
2016-04-22 00:00:00
Fedora Update for drupal7-block_class FEDORA-2016-0
2016-04-22 00:00:00
prion
prion
Cross site scripting
2016-04-15 15:59:00
cvelist
cvelist
CVE-2016-3144
2016-04-15 15:00:00
nessus
nessus
Fedora 24 : drupal7-block_class-2.3-1.fc24 (2016-687b3a3d5d)
2016-04-22 00:00:00
Fedora 23 : drupal7-block_class-2.3-1.fc23 (2016-0d82b3eb5d)
2016-04-22 00:00:00
Fedora 22 : drupal7-block_class-2.3-1.fc22 (2016-8d983eeb13)
2016-04-22 00:00:00
cve
cve
CVE-2016-3144
2016-04-15 15:59:02
fedora
fedora
[SECURITY] Fedora 24 Update: drupal7-block_class-2.3-1.fc24
2016-04-17 23:46:41
[SECURITY] Fedora 23 Update: drupal7-block_class-2.3-1.fc23
2016-04-22 01:27:52
[SECURITY] Fedora 22 Update: drupal7-block_class-2.3-1.fc22
2016-04-22 01:52:33

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.967 High

EPSS

Percentile

99.7%

JSON
Related for DRUPAL-SA-CONTRIB-2015-175
nvd1openvas3prion1cvelist1nessus3cve1fedora3