CVE-2013-1973

The autocomplete callback in Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 does not properly handle node permissions, which allows remote authenticated users to obtain sensitive field values via unspecified vectors.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://osvdb.org/92532
http://secunia.com/advisories/52996
https://drupal.org/node/1971848	Patch
https://drupal.org/node/1971856	Patch
https://drupal.org/node/1972976	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.0:-:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.1:-:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.2:-:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.3:-:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:alpha1:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta1:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta2:-::-:drupal::*
	cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:dev:-::-:drupal::*

History

No history.

Information

Published : 2014-06-09 19:55

Updated : 2014-06-24 15:01

NVD link : CVE-2013-1973

Mitre link : CVE-2013-1973

CVE.ORG link : CVE-2013-1973

JSON object : View

Products Affected

autocomplete_widgets_project

autocomplete_widgets

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-1973", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-06-09T19:55:06.943", "references": [{"url": "http://osvdb.org/92532", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/52996", "source": "secalert@redhat.com"}, {"url": "https://drupal.org/node/1971848", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "https://drupal.org/node/1971856", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "https://drupal.org/node/1972976", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The autocomplete callback in Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 does not properly handle node permissions, which allows remote authenticated users to obtain sensitive field values via unspecified vectors."}, {"lang": "es", "value": "La rellamada de autocompletar en Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) m\u00f3dulo 6.x-1.x anterior a 6.x-1.4 y 7.x-1.x anterior a 7.x-1.0-rc1 no maneja debidamente permisos de nodo, loque permite a usuarios remotos autenticados obtener valores de campos sensibles a trav\u00e9s de vectores no especificados."}], "lastModified": "2014-06-24T15:01:56.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.0:-:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "CF645DF0-F227-40EE-B24F-033B819ADC69"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.1:-:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "C1B5073B-4061-4BA0-B46D-FFDDCFDD8B31"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.2:-:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "54B02DEF-7CAD-4C3F-92A7-8CB1620AC29F"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.3:-:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "46BB3A14-7F20-4859-914D-D09BDD22904E"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:alpha1:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "A0D12F8C-E107-4942-B8A1-3E3F8316B3C8"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta1:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "84AEC576-1854-454B-9873-81AD1435B13D"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta2:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "49BFB7EC-A679-4E51-B878-9EBE2ED0FDC4"}, {"criteria": "cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:dev:-:*:-:drupal:*:*", "vulnerable": true, "matchCriteriaId": "14680478-F0BB-452E-9AB0-441633DDB8E2"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}