{"id":"MGASA-2015-0328","summary":"Updated drupal packages fix security vulnerabilities","details":"Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal\nbefore 7.39 allows remote attackers to inject arbitrary web script or HTML\nvia a crafted URL, related to uploading files (CVE-2015-6658).\n\nSQL injection vulnerability in the SQL comment filtering system in the\nDatabase API in Drupal before 7.39 allows remote attackers to execute\narbitrary SQL commands via an SQL comment (CVE-2015-6659).\n\nThe Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly\nvalidate the form token, which allows remote attackers to conduct CSRF\nattacks that upload files in a different user's account via vectors related\nto \"file upload value callbacks\" (CVE-2015-6660).\n\nDrupal before 7.39 allows remote attackers to obtain sensitive node titles by\nreading the menu (CVE-2015-6661).\n\nCross-site scripting (XSS) vulnerability in the Ajax handler in Drupal before\n7.39 allows remote attackers to inject arbitrary web script or HTML via\nvectors involving a whitelisted HTML element, possibly related to the \"a\" tag\n(CVE-2015-6665).\n","modified":"2026-04-16T06:23:32.397625865Z","published":"2015-08-27T20:49:46Z","upstream":["CVE-2015-6658","CVE-2015-6659","CVE-2015-6660","CVE-2015-6661","CVE-2015-6665"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0328.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16630"},{"type":"WEB","url":"https://www.drupal.org/SA-CORE-2015-003"},{"type":"WEB","url":"https://www.drupal.org/drupal-7.39"},{"type":"WEB","url":"https://www.drupal.org/drupal-7.39-release-notes"}],"affected":[{"package":{"name":"drupal","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/drupal?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.39-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0328.json"}},{"package":{"name":"drupal","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/drupal?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.39-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0328.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}