This security advisory fixes multiple vulnerabilities. See below for a list.

Cross-site Scripting - Ajax system - Drupal 7

A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection - Database API - Drupal 7

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

CVE identifier(s) issued

Cross-site Scripting (Ajax system - Drupal 7): CVE-2015-6665

Cross-site Scripting (Autocomplete system - Drupal 6 and 7): CVE-2015-6658

SQL Injection (Database API - Drupal 7): CVE-2015-6659

Cross-site Request Forgery (Form API - Drupal 6 and 7): CVE-2015-6660

Information Disclosure in Menu Links (Access system - Drupal 6 and 7): CVE-2015-6661

Versions affected

Drupal core 6.x versions prior to 6.37

Drupal core 7.x versions prior to 7.39

Solution

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.37

If you use Drupal 7.x, upgrade to Drupal core 7.39

Also see the Drupal core project page.

Credits

Cross-site Scripting - Ajax system - Drupal 7

Reported by

Fixed by

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

Reported by

Alex Bronstein of the Drupal Security Team

Pere Orga of the Drupal Security Team

Fixed by

SQL Injection - Database API - Drupal 7

Reported by

Fixed by

Cross-site Request Forgery - Form API - Drupal 6 and 7

Reported by

Fixed by

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Reported by

David_Rothstein of the Drupal Security Team

Fixed by

Coordinated by

Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity