CVE-2012-5557
low
CVSS v3
—
CVSS v2
3.6
VIR risk
3.6
Description
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1840886
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1840054
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1840038
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| user_read-only_project | user_readonly | 6.x-1.0 | |
| user_read-only_project | user_readonly | 6.x-1.1 | |
| user_read-only_project | user_readonly | 6.x-1.2 | |
| user_read-only_project | user_readonly | 6.x-1.3 | |
| user_read-only_project | user_readonly | 6.x-1.x | |
| user_read-only_project | user_readonly | 7.x-1.0 | |
| user_read-only_project | user_readonly | 7.x-1.1 | |
| user_read-only_project | user_readonly | 7.x-1.2 | |
| user_read-only_project | user_readonly | 7.x-1.3 | |
| user_read-only_project | user_readonly | 7.x-1.x | |
| drupal | drupal | - | |
References
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.