Vulnerabilities / Drupal version with known vulnerabilities

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity
High
CWE Name
Drupal version with known vulnerabilities
CWE ID
CWE-1035
CVSS Score
9.1
Compliance
Drupal version with known vulnerabilities

The installed version of Drupal has multiple known vulnerabilities that may be used by attackers to harmful the clients of the application or the application itself.

The impact of this greatly depends on the vulnerabilities this Drupal version has. Some vulnerabilities may allow only the theft of a user account, giving the attacker the possibility to read and modify content written by the victim and to post on is behalf. However, more serious vulnerabilities may allow the attacker to login with the administrator account and completely control the administration area, possibly destroy all the contents or replacing them with improper content.

This is a common problem amongst Drupal installations, since it becomes outdated quickly, with vulnerabilities being discovered weekly and updated being published at the same pace.

How to fix

  • The correct solution is to update Drupal to its latest stable version, which will fix any known vulnerability, improving the security of the web application.