Vulnerabilities > CVE-2016-3168 - 7PK - Security Features vulnerability in multiple products

CVSS 8.5 - HIGH

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

drupal

debian

CWE-254

nessus

NVD

Published: 2016-04-12

Updated: 2016-04-14

Summary

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Drupal Drupal Drupal 6.0 Drupal Drupal 6.1 Drupal Drupal 6.2 Drupal Drupal 6.3 Drupal Drupal 6.4 Drupal Drupal 6.5 Drupal Drupal 6.6 Drupal Drupal 6.7 Drupal Drupal 6.8 Drupal Drupal 6.9 Drupal Drupal 6.10 Drupal Drupal 6.11 Drupal Drupal 6.12 Drupal Drupal 6.13 Drupal Drupal 6.14 Drupal Drupal 6.15 Drupal Drupal 6.16 Drupal Drupal 6.17 Drupal Drupal 6.18 Drupal Drupal 6.19 Drupal Drupal 6.20 Drupal Drupal 6.21 Drupal Drupal 6.22 Drupal Drupal 6.23 Drupal Drupal 6.24 Drupal Drupal 6.25 Drupal Drupal 6.26 Drupal Drupal 6.27 Drupal Drupal 6.28 Drupal Drupal 6.29 Drupal Drupal 6.30 Drupal Drupal 6.31 Drupal Drupal 6.32 Drupal Drupal 6.33 Drupal Drupal 6.34 Drupal Drupal 6.35 Drupal Drupal 6.36 Drupal Drupal 6.37 Drupal Drupal 7.0 Drupal Drupal 7.1 Drupal Drupal 7.2 Drupal Drupal 7.3 Drupal Drupal 7.4 Drupal Drupal 7.5 Drupal Drupal 7.6 Drupal Drupal 7.7 Drupal Drupal 7.8 Drupal Drupal 7.9 Drupal Drupal 7.10 Drupal Drupal 7.11 Drupal Drupal 7.12 Drupal Drupal 7.13 Drupal Drupal 7.14 Drupal Drupal 7.15 Drupal Drupal 7.16 Drupal Drupal 7.17 Drupal Drupal 7.18 Drupal Drupal 7.19 Drupal Drupal 7.20 Drupal Drupal 7.21 Drupal Drupal 7.22 Drupal Drupal 7.23 Drupal Drupal 7.24 Drupal Drupal 7.25 Drupal Drupal 7.26 Drupal Drupal 7.27 Drupal Drupal 7.28 Drupal Drupal 7.29 Drupal Drupal 7.30 Drupal Drupal 7.31 Drupal Drupal 7.32 Drupal Drupal 7.33 Drupal Drupal 7.34 Drupal Drupal 7.35 Drupal Drupal 7.36 Drupal Drupal 7.37 Drupal Drupal 7.38 Drupal Drupal 7.40 Drupal Drupal 7.41 Drupal Drupal 7.42 Drupal Drupal 7.X-Dev	105
OS	Debian Debian Debian Linux 7.0 Debian Debian Linux 8.0	2

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Nessus

NASL family	CGI abuses
NASL id	DRUPAL_7_43.NASL
description	The version of Drupal running on the remote web server is 7.x prior to 7.43. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the File module that allows an attacker to view, delete, or substitute a link to a file that has not yet been submitted or processed by a form. An authenticated, remote attacker can exploit this, via continuous deletion of temporary files, to block all file uploads to a site. - A flaw exists in the XML-RPC system due to a failure to limit the number of simultaneous calls being made to the same method. A remote attacker can exploit this to facilitate brute-force attacks. - A cross-site redirection vulnerability exists due to improper validation of unspecified input before returning it to the user, which can allow the current path to be filled-in with an external URL. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker
last seen	2020-03-21
modified	2016-03-04
plugin id	89683
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89683
title	Drupal 7.x < 7.43 Multiple Vulnerabilities

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3498.NASL
description	Multiple security vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at
last seen	2020-06-01
modified	2020-06-02
plugin id	89004
published	2016-02-29
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89004
title	Debian DSA-3498-1 : drupal7 - security update

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References