Fedora EPEL 7 update for drupal7
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2016-9449 CVE-2016-9450 CVE-2016-9451 CVE-2016-9452 |
| CWE-ID | CWE-200 CWE-345 CWE-601 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system drupal7 Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU40008
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9449
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.52-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-103c5b0f17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficient verification of data authenticity
EUVDB-ID: #VU40007
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-9450
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.52-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-103c5b0f17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Open redirect
EUVDB-ID: #VU40006
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9451
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.52-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-103c5b0f17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU40005
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-9452
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.52-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-103c5b0f17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
