CVE-2016-9449

high-risk
Published 2016-11-25

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Drupal

References (6)

http://www.debian.org/security/2016/dsa-3718
Third Party Advisory http://www.securityfocus.com/bid/94367
Patch https://www.drupal.org/SA-CORE-2016-005
http://www.debian.org/security/2016/dsa-3718
Third Party Advisory http://www.securityfocus.com/bid/94367
Patch https://www.drupal.org/SA-CORE-2016-005
50
/ 100
high-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 31/34 · Critical