Vulnerability Details CVE-2008-6171
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.04
EPSS Ranking 87.9%
CVSS Severity
CVSS v2 Score 9.3
References
- http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch
- http://drupal.org/node/324824
- http://secunia.com/advisories/32389
- http://secunia.com/advisories/32441
- http://www.securityfocus.com/bid/31900
- http://www.vupen.com/english/advisories/2008/2913
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46049
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.html
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.html
- http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch
- http://drupal.org/node/324824
- http://secunia.com/advisories/32389
- http://secunia.com/advisories/32441
- http://www.securityfocus.com/bid/31900
- http://www.vupen.com/english/advisories/2008/2913
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46049
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.html
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.html
Products affected by CVE-2008-6171
-
cpe:2.3:a:drupal:drupal:5.0
-
cpe:2.3:a:drupal:drupal:5.1
-
cpe:2.3:a:drupal:drupal:5.10
-
cpe:2.3:a:drupal:drupal:5.11
-
cpe:2.3:a:drupal:drupal:5.2
-
cpe:2.3:a:drupal:drupal:5.3
-
cpe:2.3:a:drupal:drupal:5.4
-
cpe:2.3:a:drupal:drupal:5.5
-
cpe:2.3:a:drupal:drupal:5.6
-
cpe:2.3:a:drupal:drupal:5.7
-
cpe:2.3:a:drupal:drupal:5.8
-
cpe:2.3:a:drupal:drupal:5.9
-
cpe:2.3:a:drupal:drupal:6.0
-
cpe:2.3:a:drupal:drupal:6.1
-
cpe:2.3:a:drupal:drupal:6.2
-
cpe:2.3:a:drupal:drupal:6.3
-
cpe:2.3:a:drupal:drupal:6.4
-
cpe:2.3:a:drupal:drupal:6.5