SB2013112106 - Fedora EPEL 6 update for drupal7

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013112106

SB2013112106 - Fedora EPEL 6 update for drupal7

Published: November 21, 2013 Updated: April 24, 2025

Security Bulletin ID SB2013112106
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 40% Medium 20% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-site request forgery (CVE-ID: CVE-2013-6385)

The vulnerability allows a remote user to perform cross-site request forgery attack.
The weakness exists due to improper functionality of form API validation preventing CSRF. The form carrying out unsafe operations will expose the system to cross-site request forgery attacks.
Successful expliation of the vulnerability allows attackers to conduct CSRF.

2) Cryptographic issues (CVE-ID: CVE-2013-6386)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.


3) Cross-site scripting (CVE-ID: CVE-2013-6387)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Cross-site scripting (CVE-ID: CVE-2013-6388)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


5) Open redirect (CVE-ID: CVE-2013-6389)

The weakness allows a remote attacker to obtain valid user's credential.
The vulnerability exists due to unsufficient URLs validation before showing their content. The Overlay module shows administrative pages instead of its substitution in the browser window that expose open redirect weakness.
Successful exploitation of the vulnerability may result in gaining access to the target user's data.

Remediation

Install update from vendor's website.

References