[3.3] drupal7: Multiple Vulnerabilities (no CVE)
CVE ID: not yet available
File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical)
A vulnerability exists in the File module that allows a malicious user
to view, delete or substitute
a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed.
If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting
all temporary files before they can be saved.
Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical)
The XML-RPC system allows a large number of calls to the same method to
be made at once, which can be
used as an enabling factor in brute force attacks (for example, attempting to determine user passwords
by submitting a large number of password variations at once). This vulnerability is mitigated by the
fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing.
There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module.
It is additionally mitigated if flood control protection is in place for the method in question.
Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical)
In Drupal 6 and 7, the current path can be populated with an external
This can lead to Open Redirect vulnerabilities.
Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical)
Drupal core has a reflected file download vulnerability that could allow
to trick a user into downloading and running a file with arbitrary JSON-encoded content.
Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical)
Some specific contributed or custom code may call Drupal’s user_save()
API in a manner different than Drupal core.
Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site.
Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical)
In certain configurations where a user’s email addresses could be used
to log in instead of their username,
links to “have you forgotten your password” could reveal the username associated with a particular email address,
leading to an information disclosure vulnerability.
Drupal core 6.x versions prior to 6.38
Drupal core 7.x versions prior to 7.43
Drupal core 8.0.x versions prior to 8.0.4
Install the latest version:
If you use Drupal 6.x, upgrade to Drupal core 6.38
If you use Drupal 7.x, upgrade to Drupal core 7.43
If you use Drupal 8.0.x, upgrade to Drupal core 8.0.4
(from redmine: issue id 5239, created on 2016-03-08, closed on 2016-03-14)
main/drupal7: security upgrade to 7.43. Fixes #5239 (cherry picked from commit 88647c550362ddfd9fef660d16d75c265df67c8d)