Drupal Ctools Module Cross Site Scripting and Access Bypass Vulnerabilities



The Ctools module for Drupal is prone to a cross-site scripting vulnerability and an access-bypass vulnerability.

An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials and to bypass security restrictions, or perform unauthorized actions; this may aid in launching further attacks.

Information

Bugtraq ID: 76441
Class: Unknown
CVE: CVE-2015-7875

Remote: Yes
Local: No
Published: Aug 19 2015 12:00AM
Updated: Sep 28 2017 07:00AM
Credit: Peter Wolanin of the Drupal Security Team and Andor Dávid
Vulnerable: Drupal ctools 7.x-1.7
Drupal ctools 7.x-1.6
Drupal ctools 7.x-1.5
Drupal ctools 7.x-1.4
Drupal ctools 7.x-1.3
Drupal ctools 7.x-1.2
Drupal ctools 7.x-1.1
Drupal ctools 6.x-1.9
Drupal ctools 6.x-1.8
Drupal ctools 6.x-1.7
Drupal ctools 6.x-1.6
Drupal ctools 6.x-1.5
Drupal ctools 6.x-1.4
Drupal ctools 6.X-1.3
Drupal ctools 6.x-1.2
Drupal ctools 6.X-1.13
Drupal ctools 6.X-1.12
Drupal ctools 6.X-1.10
Drupal ctools 6.X-1.1


Not Vulnerable: Drupal ctools 7.x-1.8
Drupal ctools 6.x-1.14


Exploit


Attackers can use a browser to exploit the access-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.


Related Posts

Comments