Vulnerabilities > CVE-2016-3163 - 7PK - Security Features vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id DRUPAL_7_43.NASL description The version of Drupal running on the remote web server is 7.x prior to 7.43. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the File module that allows an attacker to view, delete, or substitute a link to a file that has not yet been submitted or processed by a form. An authenticated, remote attacker can exploit this, via continuous deletion of temporary files, to block all file uploads to a site. - A flaw exists in the XML-RPC system due to a failure to limit the number of simultaneous calls being made to the same method. A remote attacker can exploit this to facilitate brute-force attacks. - A cross-site redirection vulnerability exists due to improper validation of unspecified input before returning it to the user, which can allow the current path to be filled-in with an external URL. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker last seen 2020-03-21 modified 2016-03-04 plugin id 89683 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89683 title Drupal 7.x < 7.43 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3498.NASL description Multiple security vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at last seen 2020-06-01 modified 2020-06-02 plugin id 89004 published 2016-02-29 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89004 title Debian DSA-3498-1 : drupal7 - security update
References
- http://www.debian.org/security/2016/dsa-3498
- http://www.debian.org/security/2016/dsa-3498
- http://www.openwall.com/lists/oss-security/2016/02/24/19
- http://www.openwall.com/lists/oss-security/2016/02/24/19
- http://www.openwall.com/lists/oss-security/2016/03/15/10
- http://www.openwall.com/lists/oss-security/2016/03/15/10
- https://www.drupal.org/SA-CORE-2016-001
- https://www.drupal.org/SA-CORE-2016-001