ByteOS Network

NVD Vulnerability Details :

CVE-2017-6929

Analyzed

Source-mlhess@drupal.org

Published At-01 Mar, 2018 | 23:29

Updated At-21 Mar, 2018 | 16:54

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary	2.0	4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N

CPE Matches

The Drupal Association

>>drupal>>Versions from 7.0(inclusive) to 7.57(exclusive)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

The Drupal Association

>>drupal>>Versions from 8.0.0(inclusive) to 8.4.0(exclusive)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>7.0

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>8.0

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>9.0

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	nvd@nist.gov

References

Hyperlink	Source	Resource
https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html	mlhess@drupal.org	Issue Tracking
https://www.debian.org/security/2018/dsa-4123	mlhess@drupal.org	Third Party Advisory
https://www.drupal.org/sa-core-2018-001	mlhess@drupal.org	Mitigation Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History