CVE-2012-4488

The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/1699962	Patch
http://drupal.org/node/1699984	Patch
http://drupal.org/node/1700588	Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/10/04/6
http://www.openwall.com/lists/oss-security/2012/10/07/1

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:location_module_project:location:6.x-3.0:::::::*
	cpe:2.3:a:location_module_project:location:6.x-3.0:rc1::::::
	cpe:2.3:a:location_module_project:location:6.x-3.0:rc2::::::
	cpe:2.3:a:location_module_project:location:6.x-3.0:test3::::::
	cpe:2.3:a:location_module_project:location:6.x-3.1:::::::*
	cpe:2.3:a:location_module_project:location:6.x-3.1:rc1::::::
	cpe:2.3:a:location_module_project:location:6.x-3.x:dev::::::
	cpe:2.3:a:location_module_project:location:7.x-1.0:beta1::::::
	cpe:2.3:a:location_module_project:location:7.x-3.x:dev::::::
	cpe:2.3:a:location_module_project:location:7.x-4.x:dev::::::
	cpe:2.3:a:location_module_project:location:7.x-5.x:dev::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-10-31 16:55

Updated : 2012-11-02 04:00

NVD link : CVE-2012-4488

Mitre link : CVE-2012-4488

CVE.ORG link : CVE-2012-4488

JSON object : View

Products Affected

location_module_project

location

drupal

drupal

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2012-4488", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-10-31T16:55:03.047", "references": [{"url": "http://drupal.org/node/1699962", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "http://drupal.org/node/1699984", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "http://drupal.org/node/1700588", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2012/10/04/6", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2012/10/07/1", "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page."}, {"lang": "es", "value": "El m\u00f3dulo Location v6.x antes de v6.x-3.2 y v7.x antes de v7.x-3.0-alfa1 para Drupal no comprueba correctamente los permisos de usuario o nodo de acceso, lo que permite a atacantes remotos leer nodos o usuario a trav\u00e9s de los resultados de la p\u00e1gina de b\u00fasqueda de ubicaci\u00f3n."}], "lastModified": "2012-11-02T04:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D1698DC-E5F7-4551-8733-22D0C6DBC7EF"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BD4F5FF-AB94-4BB6-ADFD-95A04C243493"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C370E871-839F-4BC8-8DF1-6CCD828AC238"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.0:test3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "653AB041-6093-4908-9EBF-59AA96F77470"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FECCAEC1-037D-42FA-A531-3E7B414976D3"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.1:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFD761E9-EF45-4589-9F9E-755168470736"}, {"criteria": "cpe:2.3:a:location_module_project:location:6.x-3.x:dev:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F7B570F-A43D-43A7-848A-3730EB4680B8"}, {"criteria": "cpe:2.3:a:location_module_project:location:7.x-1.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46387A3E-D446-4BFA-A657-9730492759CD"}, {"criteria": "cpe:2.3:a:location_module_project:location:7.x-3.x:dev:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88718278-C458-4607-A4E9-A4FE3F8DAC72"}, {"criteria": "cpe:2.3:a:location_module_project:location:7.x-4.x:dev:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7789237-66FE-4766-93B0-6EDFA221A840"}, {"criteria": "cpe:2.3:a:location_module_project:location:7.x-5.x:dev:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39F1AB98-AD33-4D6A-8E95-E750D3EB65FC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secalert@redhat.com"}