CVE-2012-2097

Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node."

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://drupal.org/node/1525998	Patch
http://drupal.org/node/1528864	Patch Vendor Advisory
http://drupal.org/node/1528906	Patch
http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0	Exploit Patch
http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d	Exploit Patch
http://www.openwall.com/lists/oss-security/2012/04/11/4
http://www.openwall.com/lists/oss-security/2012/04/12/2
http://www.securityfocus.com/bid/52985
https://exchange.xforce.ibmcloud.com/vulnerabilities/74838
http://drupal.org/node/1525998	Patch
http://drupal.org/node/1528864	Patch Vendor Advisory
http://drupal.org/node/1528906	Patch
http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0	Exploit Patch
http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d	Exploit Patch
http://www.openwall.com/lists/oss-security/2012/04/11/4
http://www.openwall.com/lists/oss-security/2012/04/12/2
http://www.securityfocus.com/bid/52985
https://exchange.xforce.ibmcloud.com/vulnerabilities/74838

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:larry_garfield:autosave::::::::
	cpe:2.3:a:larry_garfield:autosave:6.x-2.0:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.1:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.2:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.3:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.4:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.5:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.6:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.7:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.8:::::::*
	cpe:2.3:a:larry_garfield:autosave:6.x-2.x:dev::::::
	cpe:2.3:a:larry_garfield:autosave:7.x-2.x:dev::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

History

21 Nov 2024, 01:38

Type	Values Removed	Values Added
References	~~() http://drupal.org/node/1525998 - Patch~~	() http://drupal.org/node/1525998 - Patch
References	~~() http://drupal.org/node/1528864 - Patch, Vendor Advisory~~	() http://drupal.org/node/1528864 - Patch, Vendor Advisory
References	~~() http://drupal.org/node/1528906 - Patch~~	() http://drupal.org/node/1528906 - Patch
References	~~() http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0 - Exploit, Patch~~	() http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0 - Exploit, Patch
References	~~() http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d - Exploit, Patch~~	() http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d - Exploit, Patch
References	~~() http://www.openwall.com/lists/oss-security/2012/04/11/4 -~~	() http://www.openwall.com/lists/oss-security/2012/04/11/4 -
References	~~() http://www.openwall.com/lists/oss-security/2012/04/12/2 -~~	() http://www.openwall.com/lists/oss-security/2012/04/12/2 -
References	~~() http://www.securityfocus.com/bid/52985 -~~	() http://www.securityfocus.com/bid/52985 -
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/74838 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/74838 -

Information

Published : 2012-08-14 21:55

Updated : 2024-11-21 01:38

NVD link : CVE-2012-2097

Mitre link : CVE-2012-2097

CVE.ORG link : CVE-2012-2097

JSON object : View

Products Affected

larry_garfield

autosave

drupal

drupal

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.8 /10