CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
99.7%
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
Drupal core’s multisite feature dynamically determines which configuration file to use based on the HTTP Host header.
The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don’t actually use the multisite feature.
The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn’t sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.
This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.
Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.
A cross-site scripting vulnerability was found due to Drupal’s form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.
This vulnerability is mitigated by the fact that it requires the “administer taxonomy” permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.
A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.
This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.
Install the latest version:
Also see the Drupal core project page.
drupal.org/contact
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
twitter.com/drupalsecurity
www.drupal.org/drupal-6.32-release-notes
www.drupal.org/drupal-7.29-release-notes
www.drupal.org/node/2304561
www.drupal.org/project/filefield
www.drupal.org/u/chx
www.drupal.org/u/drumm
www.drupal.org/u/greggles
www.drupal.org/user/124982
www.drupal.org/user/1367862
www.drupal.org/user/17943
www.drupal.org/user/262198
www.drupal.org/user/266527
www.drupal.org/user/2844779
www.drupal.org/user/35821
www.drupal.org/user/556138