CVE-2017-6929
published 2018-03-01CVE-2017-6929: A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.27%
66.1th percentile
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| drupal.org | drupal_core | — | — |
| drupal | core | >= 7.0 < 7.57 | 7.57 |
| drupal | core | >= 8.0 < 8.4.0 | 8.4.0 |
| drupal | core | >= 8.0.0 < 8.4.5 | 8.4.5 |
| drupal | drupal | >= 7.0 < 7.57 | 7.57 |
| drupal | drupal | >= 7.0 < 7.57 | 7.57 |
| drupal | drupal | >= 8.0 < 8.4.0 | 8.4.0 |
| drupal | drupal | >= 8.0.0 < 8.4.0 | 8.4.0 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal cross site scripting vulnerability
ghsa·2022-05-14
CVE-2017-6929 [MEDIUM] CWE-79 Drupal cross site scripting vulnerability
Drupal cross site scripting vulnerability
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.
OSV
Drupal cross site scripting vulnerability
osv·2022-05-14
CVE-2017-6929 [MEDIUM] Drupal cross site scripting vulnerability
Drupal cross site scripting vulnerability
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.
OSV
CVE-2017-6929: A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains
osv·2018-03-01·CVSS 6.1
CVE-2017-6929 [MEDIUM] CVE-2017-6929: A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.
OSV
CVE-2017-6926: This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8
osv·2018-02-21·CVSS 6.1
CVE-2017-6926 [MEDIUM] CVE-2017-6926: This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8
This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.
#### Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926
Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.
#### JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927
Drupal has a `Drupal.checkPlain()` JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by e
Drupal
Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001
vendor_drupal·2018-02-21·CVSS 6.1
CVE-2017-6926 [MEDIUM] Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001
Title: Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001
Vulnerability Type: Multiple Vulnerabilities
Description: This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list. Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926 Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927 Drupal has a Drupal.checkPlain() JavaScript function which i
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001)
bugzilla·2018-02-23·CVSS 8.1
CVE-2017-6926 [HIGH] CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001)
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001)
Multiple vulnerabilities were found in Drupal 7 and Drupal 8.
Affected versions: Drupal 7.x before 7.57, Drupal 8.x before 8.4.5
Comment reply form allows access to restricted content - Critical - Drupal 8
Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.
JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8
Drupal has a Drupal.che
Bugzilla
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal8: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
bugzilla·2018-02-23·CVSS 8.1
CVE-2017-6926 [HIGH] CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal8: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal8: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs
Bugzilla
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [epel-all]
bugzilla·2018-02-23·CVSS 8.1
CVE-2017-6926 [HIGH] CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [epel-all]
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs bei
Bugzilla
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
bugzilla·2018-02-23·CVSS 8.1
CVE-2017-6926 [HIGH] CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
CVE-2017-6926 CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6930 CVE-2017-6931 CVE-2017-6932 drupal7: drupal: Multiple vulnerabilities fixed in 7.57 and 8.4.5 (SA-CORE-2018-001) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs
https://lists.debian.org/debian-lts-announce/2018/02/msg00030.htmlhttps://www.debian.org/security/2018/dsa-4123https://www.drupal.org/sa-core-2018-001https://lists.debian.org/debian-lts-announce/2018/02/msg00030.htmlhttps://www.debian.org/security/2018/dsa-4123https://www.drupal.org/sa-core-2018-001
2018-03-01
Published