Vulnerability-Lookup

CVE-2017-6929 (GCVE-0-2017-6929)

Vulnerability from cvelistv5 – Published: 2018-03-01 22:00 – Updated: 2024-09-16 23:36

Summary

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Severity ?

No CVSS data available.

CWE

Cross Site Scripting

Assigner

drupal

References

URL

	Vendor	Product	Version
	Drupal.org	Drupal Core	Affected: 7.x versions before 7.57

FKIE_CVE-2017-6929

Vulnerability from fkie_nvd - Published: 2018-03-01 23:29 - Updated: 2024-11-21 03:30

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
mlhess@drupal.org	https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html	Issue Tracking
mlhess@drupal.org	https://www.debian.org/security/2018/dsa-4123	Third Party Advisory
mlhess@drupal.org	https://www.drupal.org/sa-core-2018-001	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2018/dsa-4123	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.drupal.org/sa-core-2018-001	Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
drupal	drupal	*
drupal	drupal	*
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAF33815-3D31-4DC0-90EB-2649F94EA368",
              "versionEndExcluding": "7.57",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D916B8-5791-4A14-8484-B360FDBEC170",
              "versionEndExcluding": "8.4.0",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module."
    },
    {
      "lang": "es",
      "value": "Hay una vulnerabilidad de Cross-Site Scripting (XSS) jQuery cuando se realizan peticiones Ajax a dominios no fiables. La vulnerabilidad se mitiga por el hecho de que requiere m\u00f3dulos que hayan sido entregados o personalizados para explotarla. En Drupal 8, esta vulnerabilidad ya se ha solucionado en la actualizaci\u00f3n core a jQuery 3 de la versi\u00f3n 8.4.0 de Drupal. En Drupal 7, se ha solucionado en la versi\u00f3n actual (Drupal 7.57) para jQuery 1.4.4 (la versi\u00f3n incluida en Drupal 7 core) y para otras versiones de jQuery que puedan estar emple\u00e1ndose en el sitio, por ejemplo, utilizando el m\u00f3dulo jQuery Update."
    }
  ],
  "id": "CVE-2017-6929",
  "lastModified": "2024-11-21T03:30:49.900",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-03-01T23:29:00.403",
  "references": [
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4123"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2018-001"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4123"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2018-001"
    }
  ],
  "sourceIdentifier": "mlhess@drupal.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2018-05185

Vulnerability from cnvd - Published: 2018-03-14

Title

Drupal跨站脚本漏洞（CNVD-2018-05185）

Description

Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。jQuery是使用在其中的一个JavaScript库。 Drupal 8版本和7版本中的jQuery存在跨站脚本漏洞。远程攻击者可通过发送特制的请求利用该漏洞注入任意的脚本。

Severity

中

Patch Name

Drupal跨站脚本漏洞的补丁

Patch Description

Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。jQuery是使用在其中的一个JavaScript库。 Drupal 8版本和7版本中的jQuery存在跨站脚本漏洞。远程攻击者可通过发送特制的请求利用该漏洞注入任意的脚本。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://www.drupal.org/project/drupal/releases/7.57

Reference

https://www.drupal.org/sa-core-2018-001

Impacted products

Name
['Drupal Drupal 7', 'Drupal Drupal 8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6929"
    }
  },
  "description": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002jQuery\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2aJavaScript\u5e93\u3002\r\n\r\nDrupal 8\u7248\u672c\u548c7\u7248\u672c\u4e2d\u7684jQuery\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684\u811a\u672c\u3002",
  "discovererName": "Unknow",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.drupal.org/project/drupal/releases/7.57",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-05185",
  "openTime": "2018-03-14",
  "patchDescription": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002jQuery\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2aJavaScript\u5e93\u3002\r\n\r\nDrupal 8\u7248\u672c\u548c7\u7248\u672c\u4e2d\u7684jQuery\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Drupal\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Drupal Drupal 7",
      "Drupal Drupal 8"
    ]
  },
  "referenceLink": "https://www.drupal.org/sa-core-2018-001",
  "serverity": "\u4e2d",
  "submitTime": "2018-02-26",
  "title": "Drupal\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-05185\uff09"
}

GHSA-5VPR-V24W-MMJJ

Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2024-04-23 22:16

Summary

Drupal cross site scripting vulnerability

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.57"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.57"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-6929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:16:23Z",
    "nvd_published_at": "2018-03-01T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.",
  "id": "GHSA-5vpr-v24w-mmjj",
  "modified": "2024-04-23T22:16:23Z",
  "published": "2022-05-14T03:36:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6929.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6929.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4123"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2018-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal cross site scripting vulnerability"
}

GSD-2017-6929

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-6929

Aliases

CVE-2017-6929

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-6929",
    "description": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.",
    "id": "GSD-2017-6929",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-6929.html",
      "https://www.debian.org/security/2018/dsa-4123"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-6929"
      ],
      "details": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.",
      "id": "GSD-2017-6929",
      "modified": "2023-12-13T01:21:09.889506Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@drupal.org",
        "DATE_PUBLIC": "2018-02-21T00:00:00",
        "ID": "CVE-2017-6929",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Drupal Core",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "7.x versions before 7.57"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Drupal.org"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross Site Scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "DSA-4123",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4123"
          },
          {
            "name": "[debian-lts-announce] 20180228 [SECURITY] [DLA 1295-1] drupal7 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"
          },
          {
            "name": "https://www.drupal.org/sa-core-2018-001",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/sa-core-2018-001"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0,\u003c8.4.5",
          "affected_versions": "All versions starting from 8.0 before 8.4.5",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2018-03-21",
          "description": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.",
          "fixed_versions": [
            "8.4.5"
          ],
          "identifier": "CVE-2017-6929",
          "identifiers": [
            "CVE-2017-6929"
          ],
          "not_impacted": "All versions before 8.0, all versions starting from 8.4.5",
          "package_slug": "packagist/drupal/core",
          "pubdate": "2018-03-01",
          "solution": "Upgrade to version 8.4.5 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://www.drupal.org/SA-CORE-2018-001"
          ],
          "uuid": "0d68c952-033b-4d53-9b43-19def486f604"
        },
        {
          "affected_range": "\u003e=8.0,\u003c8.4.5",
          "affected_versions": "All versions starting from 8.0 before 8.4.5",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2018-03-21",
          "description": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.",
          "fixed_versions": [
            "8.4.5"
          ],
          "identifier": "CVE-2017-6929",
          "identifiers": [
            "CVE-2017-6929"
          ],
          "not_impacted": "All versions before 8.0, all versions starting from 8.4.5",
          "package_slug": "packagist/drupal/drupal",
          "pubdate": "2018-03-01",
          "solution": "Upgrade to version 8.4.5 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://www.drupal.org/SA-CORE-2018-001"
          ],
          "uuid": "f976f228-4c6a-4fa0-949e-3b443fe286fc"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.57",
                "versionStartIncluding": "7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.4.0",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2017-6929"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/sa-core-2018-001",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://www.drupal.org/sa-core-2018-001"
            },
            {
              "name": "DSA-4123",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2018/dsa-4123"
            },
            {
              "name": "[debian-lts-announce] 20180228 [SECURITY] [DLA 1295-1] drupal7 security update",
              "refsource": "MLIST",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2018-03-21T16:54Z",
      "publishedDate": "2018-03-01T23:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-6929 (GCVE-0-2017-6929)

FKIE_CVE-2017-6929

CNVD-2018-05185

GHSA-5VPR-V24W-MMJJ

GSD-2017-6929

Tags

Sightings

Nomenclature