On November 22nd, I discovered two vulnerabilities in sites based on Drupal Core 7.9 with default configuration. These were:
- an automatic remote phishing vulnerability (automated email sent from drupal user’s website can contain links to an attacker’s site!)
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C (What’s that?)
Suggested Drupal Security Risk Level: Moderately Critical (3 of 5)
- a potential XSS vulnerability (High Access Complexity… attacker must have MITM or control of a Proxy)
Suggested CVSS v2.0: AV:A/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
Suggested Drupal Security Risk Level: Less Critical (2 of 5)
The technical details of this vulnerability have been removed until further notice from the Drupal security team 😉
Dec 6 2011
Potential Drupal XSS flaw found
On November 22nd, I discovered two vulnerabilities in sites based on Drupal Core 7.9 with default configuration. These were:
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C (What’s that?)
Suggested Drupal Security Risk Level: Moderately Critical (3 of 5)
Suggested CVSS v2.0: AV:A/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
Suggested Drupal Security Risk Level: Less Critical (2 of 5)
The technical details of this vulnerability have been removed until further notice from the Drupal security team 😉
By Administrator • Projects, Software