CVE-2008-1729

The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/244637	Patch Vendor Advisory
http://www.securityfocus.com/bid/28714	Patch Third Party Advisory VDB Entry
http://secunia.com/advisories/29762	Third Party Advisory
http://www.osvdb.org/44270	Broken Link
http://www.vupen.com/english/advisories/2008/1185/references	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/41755	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Information

Published : 2008-04-11 12:05

Updated : 2021-04-19 13:59

NVD link : CVE-2008-1729

Mitre link : CVE-2008-1729

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

drupal

drupal

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://drupal.org/node/244637", "name": "http://drupal.org/node/244637", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/28714", "name": "28714", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/29762", "name": "29762", "tags": ["Third Party Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.osvdb.org/44270", "name": "44270", "tags": ["Broken Link"], "refsource": "OSVDB"}, {"url": "http://www.vupen.com/english/advisories/2008/1185/references", "name": "ADV-2008-1185", "tags": ["Third Party Advisory"], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41755", "name": "drupal-menusystem-security-bypass(41755)", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the \"access content\" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-1729", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2008-04-11T19:05Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.2", "versionStartIncluding": "6.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-04-19T20:59Z"}

5.8 /10