Published: 01/03/2018 Updated: 22/03/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Drupal 8.4.x versions prior to 8.4.5 and Drupal 7.x versions prior to 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

Vulnerable Product	Search on Vulmon	Subscribe to Product
drupal drupal
debian debian linux 7.0
debian debian linux 9.0
debian debian linux 8.0

Multiple vulnerabilities have been found in the Drupal content management framework For additional information, please refer to the upstream advisory at wwwdrupalorg/sa-core-2018-001 For the oldstable distribution (jessie), this problem has been fixed in version 732-1+deb8u10 For the stable distribution (stretch), this problem has been ...

CWE-79 https://www.drupal.org/sa-core-2018-001 https://www.debian.org/security/2018/dsa-4123 https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html http://www.securityfocus.com/bid/103138 https://nvd.nist.gov https://www.debian.org/security/./dsa-4123

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-6927

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect