Debian update for drupal7
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2015-7943 CVE-2017-6922 |
| CWE-ID | CWE-601 CWE-693 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #2 is being exploited in the wild. |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Open redirect
EUVDB-ID: #VU427
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-7943
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.
Update the affected package to version: 7.32-1+deb8u9, 7.52-2+deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3897
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU7179
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:H/RL:O/RC:C]
CVE-ID: CVE-2017-6922
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient file protection. A remote attacker can bypass access restrictions and view private files that have been uploaded by an anonymous user but not permanently attached to content on the site.
Successful exploitation of the vulnerability may result in access bypass.
Note: The vulnerability was being actively exploited for spam purposes.
Update the affected package to version: 7.32-1+deb8u9, 7.52-2+deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3897
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
