This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_113065Drupal 9.1.x < 9.1.14 Cross-Site Scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
0.004 Low
EPSS
Percentile
75.1%
According to its self-reported version, the instance of Drupal running on the remote web server is 8.9.x prior to 8.9.20, 9.1.x prior to 9.1.14, or 9.2.x prior to 9.2.9. It is, therefore, affected by multiple cross-site scripting vulnerabilities due to its usage of a third party component, CKEditor, for WYSIWYG editing:
-
A Cross-Site Scripting (XSS) was discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. (CVE-2021-41165)
-
A Cross-Site Scripting (XSS) was discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. (CVE-2021-41164)
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source dataRelated
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
0.004 Low
EPSS
Percentile
75.1%