#VU560 Arbitrary code execution in Drupal

Cybersecurity Help s.r.o.

Published: 2016-09-20

Vulnerability identifier: #VU560

Vulnerability risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows authenticated user to cause arbitary code execution on the target system.
The weakness exists due to validation errors. Attackers can get "post comments" permission and access to more than one input filter that allows them to execute arbitrary code.
Successful exploiatation of the vulnerability leads to arbitrary code execution on the vulnerable system.

Mitigation
Update 4.7.x to 4.7.6.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.6.tar.gz
Update 5.x to 5.1.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz

Vulnerable software versions

Drupal: 4.7.0 - 4.7.6, 5.0

External links
https://www.drupal.org/node/113935

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary code execution in Drupal Drupal