Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Drupal

 

Systems Affected


• Drupal Storage API 7.x-1.x versions prior to 7.x-1.6.
• Drupal Date module 7.x-2.x versions prior to 7.x-2.8

Threat Level


Medium


Overview


Two vulnerabilities have been reported in Drupal which could be exploited by attacker to conduct cross-site scripting (XSS) attacks or execute arbitrary code execution on the targeted system.


Description


1. Cross-site Vulnerability in Date module in Drupal (CVE-2014-5169 )
This vulnerability exists in Date module in Drupal because the module incorrectly prints date field titles without proper validation of user supplied input. A remote attacker could exploit this vulnerability to perform arbitrary script code execution in the context of the vulnerable site, potentially stealing the cookie-based authentication credentials also.

2. Arbitrary Code Execution Vulnerability in Storage API module in Drupal (CVE-2014-5170 )
This vulnerability exists in Storage API module in Drupal due to improper usage of safeguards similar to those as found in Drupals file API to manage uploads in a safe manner. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of the user to cause denial of service conditions.


Impact



Solution/ Workarounds


Apply appropriate updates as mentioned in Drupal Security Advisory

https://www.drupal.org/node/2312769
https://www.drupal.org/node/2312609


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.