SB2017062401 - Debian update for drupal7
Published: June 24, 2017 Updated: June 29, 2017
Security Bulletin ID
SB2017062401
CSH Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Open redirect (CVE-ID: CVE-2015-7943)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.
2) Security restrictions bypass (CVE-ID: CVE-2017-6922)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient file protection. A remote attacker can bypass access restrictions and view private files that have been uploaded by an anonymous user but not permanently attached to content on the site.
Successful exploitation of the vulnerability may result in access bypass.
Note: The vulnerability was being actively exploited for spam purposes.
Remediation
Install update from vendor's website.