Drupal 7.x < 7.39 Multiple Vulnerabilities

The remote server is hosting an outdated version of Drupal, a PHP-based open-source content management system. The version of Drupal installed on the remote server is 7.x prior to 7.39, and is affected by the following vulnerabilities :

• A cross-site scripting (XSS) vulnerability exists in the autocomplete functionality due to improper validation of input passed via requested URLs. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code. (CVE-2015-6658)
• A SQL injection vulnerability exists in the SQL comment filtering system due to improper sanitization of user-supplied input before using it in SQL queries. An authenticated, remote attacker can exploit this to inject SQL queries, resulting in the manipulation or disclosure of arbitrary data. (CVE-2015-6659)
• A cross-site request forgery (CSRF) vulnerability exists in the form API due to improper validation of form tokens. An authenticated, remote attacker can exploit this, via a specially crafted link, to upload arbitrary files under another user’s account. (CVE-2015-6660)
• An information disclosure vulnerability exists that allows a remote, authenticated user to view the titles of nodes that they do not have access to. (CVE-2015-6661)
• A cross-site scripting vulnerability exists due to improper validation of user-supplied input when invoking ‘Drupal.ajax()’ on whitelisted HTML elements. A remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code. (CVE-2015-6665)