ID CVE-2016-9451
Summary Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
References
Vulnerable Configurations
  • Drupal 7.0
    cpe:2.3:a:drupal:drupal:7.0
  • Drupal 7.0 alpha1
    cpe:2.3:a:drupal:drupal:7.0:alpha1
  • Drupal 7.0 alpha2
    cpe:2.3:a:drupal:drupal:7.0:alpha2
  • Drupal 7.0 alpha3
    cpe:2.3:a:drupal:drupal:7.0:alpha3
  • Drupal 7.0 alpha4
    cpe:2.3:a:drupal:drupal:7.0:alpha4
  • Drupal 7.0 alpha5
    cpe:2.3:a:drupal:drupal:7.0:alpha5
  • Drupal 7.0 alpha6
    cpe:2.3:a:drupal:drupal:7.0:alpha6
  • Drupal 7.0 alpha7
    cpe:2.3:a:drupal:drupal:7.0:alpha7
  • Drupal 7.0 Beta 1
    cpe:2.3:a:drupal:drupal:7.0:beta1
  • Drupal 7.0 Beta 2
    cpe:2.3:a:drupal:drupal:7.0:beta2
  • Drupal 7.0 Beta 3
    cpe:2.3:a:drupal:drupal:7.0:beta3
  • Drupal 7.0 dev
    cpe:2.3:a:drupal:drupal:7.0:dev
  • Drupal 7.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:7.0:rc1
  • Drupal 7.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:7.0:rc2
  • Drupal 7.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:7.0:rc3
  • Drupal 7.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:7.0:rc4
  • Drupal 7.1
    cpe:2.3:a:drupal:drupal:7.1
  • Drupal 7.10
    cpe:2.3:a:drupal:drupal:7.10
  • Drupal 7.11
    cpe:2.3:a:drupal:drupal:7.11
  • Drupal 7.12
    cpe:2.3:a:drupal:drupal:7.12
  • Drupal 7.13
    cpe:2.3:a:drupal:drupal:7.13
  • Drupal 7.14
    cpe:2.3:a:drupal:drupal:7.14
  • Drupal 7.15
    cpe:2.3:a:drupal:drupal:7.15
  • Drupal 7.16
    cpe:2.3:a:drupal:drupal:7.16
  • Drupal 7.17
    cpe:2.3:a:drupal:drupal:7.17
  • Drupal 7.18
    cpe:2.3:a:drupal:drupal:7.18
  • Drupal 7.19
    cpe:2.3:a:drupal:drupal:7.19
  • Drupal 7.2
    cpe:2.3:a:drupal:drupal:7.2
  • Drupal 7.20
    cpe:2.3:a:drupal:drupal:7.20
  • Drupal 7.21
    cpe:2.3:a:drupal:drupal:7.21
  • Drupal 7.22
    cpe:2.3:a:drupal:drupal:7.22
  • Drupal 7.23
    cpe:2.3:a:drupal:drupal:7.23
  • Drupal 7.24
    cpe:2.3:a:drupal:drupal:7.24
  • Drupal 7.25
    cpe:2.3:a:drupal:drupal:7.25
  • Drupal 7.26
    cpe:2.3:a:drupal:drupal:7.26
  • Drupal 7.27
    cpe:2.3:a:drupal:drupal:7.27
  • Drupal 7.28
    cpe:2.3:a:drupal:drupal:7.28
  • Drupal 7.29
    cpe:2.3:a:drupal:drupal:7.29
  • Drupal 7.3
    cpe:2.3:a:drupal:drupal:7.3
  • Drupal 7.30
    cpe:2.3:a:drupal:drupal:7.30
  • Drupal 7.31
    cpe:2.3:a:drupal:drupal:7.31
  • Drupal 7.32
    cpe:2.3:a:drupal:drupal:7.32
  • Drupal 7.33
    cpe:2.3:a:drupal:drupal:7.33
  • Drupal 7.34
    cpe:2.3:a:drupal:drupal:7.34
  • Drupal 7.35
    cpe:2.3:a:drupal:drupal:7.35
  • Drupal 7.36
    cpe:2.3:a:drupal:drupal:7.36
  • Drupal 7.37
    cpe:2.3:a:drupal:drupal:7.37
  • Drupal Drupal 7.38
    cpe:2.3:a:drupal:drupal:7.38
  • Drupal 7.4
    cpe:2.3:a:drupal:drupal:7.4
  • Drupal 7.40
    cpe:2.3:a:drupal:drupal:7.40
  • Drupal 7.41
    cpe:2.3:a:drupal:drupal:7.41
  • Drupal 7.42
    cpe:2.3:a:drupal:drupal:7.42
  • Drupal 7.43
    cpe:2.3:a:drupal:drupal:7.43
  • Drupal 7.44
    cpe:2.3:a:drupal:drupal:7.44
  • Drupal 7.50
    cpe:2.3:a:drupal:drupal:7.50
  • Drupal 7.51
    cpe:2.3:a:drupal:drupal:7.51
CVSS
Base: 4.9 (as of 29-11-2016 - 10:39)
Impact:
Exploitability:
CWE CWE-601
CAPEC
  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3718.NASL
    description Multiple vulnerabilities has been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/SA-CORE-2016-005
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 94943
    published 2016-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94943
    title Debian DSA-3718-1 : drupal7 - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-715.NASL
    description Multiple vulnerabilities have been found in the Drupal content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/SA-CORE-2016-005. For Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u15. We recommend that you upgrade your drupal7 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 95031
    published 2016-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95031
    title Debian DLA-715-1 : drupal7 security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_8DB24888B2F511E6815300248C0C745D.NASL
    description The Drupal development team reports : Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8) Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access. As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users. Incorrect cache context on password reset page (Less critical - Drupal 8) The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7) Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks. Denial of service via transliterate mechanism (Moderately critical - Drupal 8) A specially crafted URL can cause a denial of service via the transliterate mechanism.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95365
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95365
    title FreeBSD : Drupal Code -- Multiple Vulnerabilities (8db24888-b2f5-11e6-8153-00248c0c745d)
  • NASL family CGI abuses
    NASL id DRUPAL_8_2_3.NASL
    description The version of Drupal running on the remote web server is 7.x prior to 7.52 or 8.x prior to 8.2.3. It is, therefore, affected by the multiple vulnerabilities : - An information disclosure vulnerability exists in the taxonomy module when using access query tags that are inconsistent with the standard system used by Drupal Core. An unauthenticated, remote attacker can exploit this to disclose sensitive information regarding taxonomy terms. (CVE-2016-9449) - A flaw exists in the password reset form due to a failure to properly specify a cache context. An unauthenticated, remote attacker can exploit this to poison the cache, by adding, for example, unwanted content to the page. Note that this issue only affects version 8.x. (CVE-2016-9450) - A cross-site redirection vulnerability exists in the confirmation form due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to redirect the user to a website of the attacker's choosing. Note that this issue only affects version 7.x. (CVE-2016-9451) - A denial of service vulnerability exists in the transliterate mechanism when handling specially crafted URLs. An unauthenticated, remote attacker can exploit this to cause a crash. Note that this issue only affects version 8.x. (CVE-2016-9452) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-06-14
    plugin id 95026
    published 2016-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95026
    title Drupal 7.x < 7.52 / 8.x < 8.2.3 Multiple Vulnerabilities
refmap via4
bid 94367
confirm https://www.drupal.org/SA-CORE-2016-005
debian DSA-3718
Last major update 06-01-2017 - 22:00
Published 25-11-2016 - 13:59
Back to Top