CVE-2017-6927

EPSS 1.3%
Published 01.03.2018 23:29:00
Last modified 21.11.2024 03:30:49
Source mlhess@drupal.org
Teams watchlist Login
Open Login

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 7.0 < 7.57

Drupal ≫ Drupal Version >= 8.4.0 < 8.4.5

Debian ≫ Debian Linux Version7.0

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.3%	0.791

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.drupal.org/sa-core-2018-001

Vendor Advisory

http://www.securityfocus.com/bid/103138

Third Party Advisory

VDB Entry

https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html

Third Party Advisory

Mailing List

https://www.debian.org/security/2018/dsa-4123

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-6927

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6927

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6927

EUVD