Vulnerabilities > CVE-2016-3164

CVSS 5.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

drupal

debian

nessus

NVD

Published: 2016-04-12

Updated: 2016-04-13

Summary

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation. <a href="http://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a>

Vulnerable Configurations

Part	Description	Count
Application	Drupal Drupal Drupal 6.0 Drupal Drupal 6.1 Drupal Drupal 6.2 Drupal Drupal 6.3 Drupal Drupal 6.4 Drupal Drupal 6.5 Drupal Drupal 6.6 Drupal Drupal 6.7 Drupal Drupal 6.8 Drupal Drupal 6.9 Drupal Drupal 6.10 Drupal Drupal 6.11 Drupal Drupal 6.12 Drupal Drupal 6.13 Drupal Drupal 6.14 Drupal Drupal 6.15 Drupal Drupal 6.16 Drupal Drupal 6.17 Drupal Drupal 6.18 Drupal Drupal 6.19 Drupal Drupal 6.20 Drupal Drupal 6.21 Drupal Drupal 6.22 Drupal Drupal 6.23 Drupal Drupal 6.24 Drupal Drupal 6.25 Drupal Drupal 6.26 Drupal Drupal 6.27 Drupal Drupal 6.28 Drupal Drupal 6.29 Drupal Drupal 6.30 Drupal Drupal 6.31 Drupal Drupal 6.32 Drupal Drupal 6.33 Drupal Drupal 6.34 Drupal Drupal 6.35 Drupal Drupal 6.36 Drupal Drupal 6.37 Drupal Drupal 7.0 Drupal Drupal 7.1 Drupal Drupal 7.2 Drupal Drupal 7.3 Drupal Drupal 7.4 Drupal Drupal 7.5 Drupal Drupal 7.6 Drupal Drupal 7.7 Drupal Drupal 7.8 Drupal Drupal 7.9 Drupal Drupal 7.10 Drupal Drupal 7.11 Drupal Drupal 7.12 Drupal Drupal 7.13 Drupal Drupal 7.14 Drupal Drupal 7.15 Drupal Drupal 7.16 Drupal Drupal 7.17 Drupal Drupal 7.18 Drupal Drupal 7.19 Drupal Drupal 7.20 Drupal Drupal 7.21 Drupal Drupal 7.22 Drupal Drupal 7.23 Drupal Drupal 7.24 Drupal Drupal 7.25 Drupal Drupal 7.26 Drupal Drupal 7.27 Drupal Drupal 7.28 Drupal Drupal 7.29 Drupal Drupal 7.30 Drupal Drupal 7.31 Drupal Drupal 7.32 Drupal Drupal 7.33 Drupal Drupal 7.34 Drupal Drupal 7.35 Drupal Drupal 7.36 Drupal Drupal 7.37 Drupal Drupal 7.38 Drupal Drupal 7.40 Drupal Drupal 7.41 Drupal Drupal 7.42 Drupal Drupal 7.X-Dev Drupal Drupal 8.0.0 Drupal Drupal 8.0.1 Drupal Drupal 8.0.2 Drupal Drupal 8.0.3	141
OS	Debian Debian Debian Linux 7.0 Debian Debian Linux 8.0	2

Nessus

NASL family	CGI abuses
NASL id	DRUPAL_7_43.NASL
description	The version of Drupal running on the remote web server is 7.x prior to 7.43. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the File module that allows an attacker to view, delete, or substitute a link to a file that has not yet been submitted or processed by a form. An authenticated, remote attacker can exploit this, via continuous deletion of temporary files, to block all file uploads to a site. - A flaw exists in the XML-RPC system due to a failure to limit the number of simultaneous calls being made to the same method. A remote attacker can exploit this to facilitate brute-force attacks. - A cross-site redirection vulnerability exists due to improper validation of unspecified input before returning it to the user, which can allow the current path to be filled-in with an external URL. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker
last seen	2020-03-21
modified	2016-03-04
plugin id	89683
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89683
title	Drupal 7.x < 7.43 Multiple Vulnerabilities

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3498.NASL
description	Multiple security vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at
last seen	2020-06-01
modified	2020-06-02
plugin id	89004
published	2016-02-29
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89004
title	Debian DSA-3498-1 : drupal7 - security update

Vulnerabilities > CVE-2016-3164 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2016-3164"}]}

Summary

Vulnerable Configurations

Nessus

References

Vulnerabilities > CVE-2016-3164