CVE-2012-5586
low
CVSS v3
—
CVSS v2
2.1
VIR risk
2.1
Description
The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource."
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1853200
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1842026
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1842022
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| marc_ingram | services | 6.x-3.0 | |
| marc_ingram | services | 6.x-3.1 | |
| marc_ingram | services | 6.x-3.2 | |
| marc_ingram | services | 6.x-3.x | |
| drupal | drupal | - | |
| marc_ingram | services | 7.x-3.0 | |
| marc_ingram | services | 7.x-3.1 | |
| marc_ingram | services | 7.x-3.2 | |
| marc_ingram | services | 7.x-3.3 | |
| marc_ingram | services | 7.x-3.x | |
References
- http://drupal.org/node/1842022
- http://drupal.org/node/1842026
- http://drupal.org/node/1853200
- http://www.openwall.com/lists/oss-security/2012/11/29/2
- http://www.securityfocus.com/bid/56723
- http://drupal.org/node/1842022
- http://drupal.org/node/1842026
- http://drupal.org/node/1853200
- http://www.openwall.com/lists/oss-security/2012/11/29/2
- http://www.securityfocus.com/bid/56723
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.