KLA10563
Multiple vulnerabilities in Drupal modules
Updated: 06/01/2019
Detect date
?
04/21/2015
Severity
?
High
Description

Multiple serious vulnerabilities have been found in Drupal modules. Malicious users can exploit these vulnerabilities to bypass security restrictions, inject arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

  1. Open redirect vulnerabilities in Commerce WeDeal, Node basket, Views and Node Invite modules can be exploited remotely via unspecified vectors;
  2. XSS vulnerabilities in Ajax Timeline, Facebook Album Fetcher, Public Download Count, Taxonomy Tools, Node Access Product, Taxonomy Path, Commerce Balanced Payments, Node basket, Quizzler, Node Invite, Taxonews, Classified Ads, Nodeauthor and Content Analysis modules can be exploited remotely via a specially designed parameters or other unknown vectors;
  3. Unknown vulnerability in Path Breadcrumbs module can be exploited remotely via a 403 page reading;
  4. CSRF vulnerabilities in Node basket, Feature Set, Shibboleth Authentication, Corner, Node Invite, Patterns, Alfresco and Contact Form Fields modules can be exploited remotely via an unspecified vectors;
  5. An improper access restrictions in Views module can be exploited remotely via an unknown vectors;
  6. Improper token generation in Amazon AWS module can be exploited remotely via an unspecified vectors.
Affected products

Commerce WeDeal versions earlier than 7.x-1.3
Ajax Timeline versions earlier than 7.x-1.1
Path Breadcrumbs versions earlier than 7.x-3.2
Facebook Album Fetcher all versions
Public Download Count versions earlier than 7.x-1.x-dev
Commerce Balanced Payments all versions
Taxonomy Tools versions earlier than 7.x-1.4
Node Access Product all versions
Taxonomy Path versions earlier than 7.x-1.2
Node basket all versions
Feature Set all versions
Views versions earlier than 6.x-2.18
Views 6.x-3.x versions earlier than 6.x-3.2
Views 7.x-3.x versions earlier than 7.x-3.10
Quizzler versions earlier than 7-x.1.16
Shibboleth Authentication versions earlier than 6.x-4.1
Shibboleth Authentication 7.x-4.x versions earlier than 7.x-4.1
Corner all versions
Amazon AWS versions earlier than 7.x-1.3
Node Invite versions earlier than6.x-2.5
Taxonews versions earlier than 6.x-1.2
Taxonews 7.x-1.x versions earlier than 7.x-1.1
Classified Ads versions earlier than 6.x-3.1
Classified Ads 7.x-3.x versions earlier than 7.x-3.1
Patterns versions earlier than 7.x-2.2
Alfresco versions earlier than 6.x-1.3
Nodeauthor all versions
Content Analysis versions earlier than 6.x-1.7
Contact Form Fields versions earlier than 6.x-2.3

Solution

Update to the latest version or check out another plugins to use.

Impacts
?
OSI 
[?]

CI 
[?]

SB 
[?]
CVE-IDS
?
CVE-2015-33935.8High
CVE-2015-33923.5Warning
CVE-2015-33915.0Critical
CVE-2015-33903.5Warning
CVE-2015-33893.5Warning
CVE-2015-33885.8High
CVE-2015-33873.5Warning
CVE-2015-33863.5Warning
CVE-2015-33853.5Warning
CVE-2015-33843.5Warning
CVE-2015-33835.8High
CVE-2015-33825.8High
CVE-2015-33813.5Warning
CVE-2015-33805.8High
CVE-2015-33794.0Warning
CVE-2015-33784.9Warning
CVE-2015-33763.5Warning
CVE-2015-33755.8High
CVE-2015-33745.8High
CVE-2015-33735.0Critical
CVE-2015-33723.5Warning
CVE-2015-33715.8High
CVE-2015-33706.8High
CVE-2015-33693.5Warning
CVE-2015-33683.5Warning
CVE-2015-33676.8High
CVE-2015-33665.8High
CVE-2015-33653.5Warning
CVE-2015-33644.3Warning
CVE-2015-33636.8High