4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.7%
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/drupal | lt | 7.57 | |
drupal/drupal | lt | 8.4.5 | |
drupal/core | lt | 7.57 | |
drupal/core | lt | 8.4.5 |
www.securityfocus.com/bid/103138
github.com/advisories/GHSA-585j-5449-mf5m
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6927.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6927.yaml
lists.debian.org/debian-lts-announce/2018/02/msg00030.html
nvd.nist.gov/vuln/detail/CVE-2017-6927
www.debian.org/security/2018/dsa-4123
www.drupal.org/sa-core-2018-001
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.7%