Executive Summary
| Summary | |
|---|---|
| Title | New drupal packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-1007 | First vendor Publication | 2006-03-17 |
| Vendor | Debian | Last vendor Modification | 2006-03-17 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5.1 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | High |
| Cvss Expoit Score | 4.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The Drupal Security Team discovered several vulnerabilities in Drupal, a fully-featured content management and discussion engine. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-1225 Due to missing input sanitising a remote attacker could inject headers of outgoing e-mail messages and use Drupal as a spam proxy. CVE-2006-1226 Missing input sanity checks allows attackers to inject arbitrary web script or HTML. CVE-2006-1227 Menu items created with the menu.module lacked access control for, which might allow remote attackers to access administrator pages. CVE-2006-1228 Markus Petrux discovered a bug in the session fixation which may allow remote attackers to gain Drupal user privileges. The old stable distribution (woody) does not contain Drupal packages. For the stable distribution (sarge) these problems have been fixed in version 4.5.3-6. For the unstable distribution (sid) these problems have been fixed in version 4.5.8-1. We recommend that you upgrade your drupal package. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1007 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1007-1 (drupal) File : nvt/deb_1007_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 23912 | Drupal Email Crafted Header Spoofing Drupal contains a flaw allows a malicious user to insert line feeds and carriage returns into outgoing email. This allows the attacker to insert bogus headers into outgoing email. This could lead to Drupal sites being used to send unwanted email. |
| 23911 | Drupal Login Session Fixation Hijacking Drupal contains a flaw that may allow a malicious user to hijack a user's session. The issue is triggered when the victim clicks on a specially crafted link and then later logs on to Drupal resulting in a loss of integrity. |
| 23910 | Drupal Multiple Unspecified XSS Drupal contains a flaw that allows multiple unspecifies remote cross site scripting attacks. No further details have been provided. |
| 23909 | Drupal menu.module Menu Item Creation Page Restriction Bypass Drupal contains a flaw that may lead to an unauthorized information disclosure. When "menu.module" is used to create a menu item, the referenced page will be accessible by everyone, bypassing the expected page restriction. This may allow admin pages to be accessed by a remote attacker, resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1007.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:34 |
|
