Vulnerabilities > CVE-2016-3163 - 7PK - Security Features vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
debian
drupal
CWE-254
nessus
NVD
Published: 2016-04-12
Updated: 2016-04-19

Summary

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

Vulnerable Configurations

Part Description Count
OS
Debian
2
Application
Drupal
104

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idDRUPAL_7_43.NASL
    descriptionThe version of Drupal running on the remote web server is 7.x prior to 7.43. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the File module that allows an attacker to view, delete, or substitute a link to a file that has not yet been submitted or processed by a form. An authenticated, remote attacker can exploit this, via continuous deletion of temporary files, to block all file uploads to a site. - A flaw exists in the XML-RPC system due to a failure to limit the number of simultaneous calls being made to the same method. A remote attacker can exploit this to facilitate brute-force attacks. - A cross-site redirection vulnerability exists due to improper validation of unspecified input before returning it to the user, which can allow the current path to be filled-in with an external URL. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker
    last seen2020-03-21
    modified2016-03-04
    plugin id89683
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89683
    titleDrupal 7.x < 7.43 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3498.NASL
    descriptionMultiple security vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at
    last seen2020-06-01
    modified2020-06-02
    plugin id89004
    published2016-02-29
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89004
    titleDebian DSA-3498-1 : drupal7 - security update

References