CVE-2017-6927
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.
Las versiones 8.4.x de Drupal anteriores a la 8.4.5 y las versiones 7.x anteriores a la 7.57 tienen una función de JavaScript Drupal.checkPlain() que se emplea para escapar texto potencialmente peligroso antes de extraerlo como HTML (ya que la exportación JavaScript no suele pasar un proceso de autoescape Twig). Esta función no gestiona adecuadamente todos los métodos de inyección de HTML malicioso, lo que conduce a una vulnerabilidad de Cross-Site Scripting (XSS) en ciertas circunstancias. Las funciones de PHP que Drupal proporciona para escapar HTML no se han visto afectadas.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-03-16 CVE Reserved
- 2018-03-01 CVE Published
- 2024-05-27 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/103138 | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.debian.org/security/2018/dsa-4123 | 2018-03-22 | |
https://www.drupal.org/sa-core-2018-001 | 2018-03-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 7.0 < 7.57 Search vendor "Drupal" for product "Drupal" and version " >= 7.0 < 7.57" | - |
Affected
| ||||||
Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 8.4.0 < 8.4.5 Search vendor "Drupal" for product "Drupal" and version " >= 8.4.0 < 8.4.5" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|