CVE-2015-4364

Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.drupal.org/node/2445971	Patch Vendor Advisory
https://www.drupal.org/node/2449747
https://www.drupal.org/node/2452569	Patch
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/72953

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:campaign_monitor_project:campaign_monitor:7.x-1.0:*:*:*:*:drupal:*:*

Information

Published : 2015-06-15 07:59

Updated : 2018-06-26 18:29

NVD link : CVE-2015-4364

Mitre link : CVE-2015-4364

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Advertisement

Products Affected

campaign_monitor_project

campaign_monitor

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.drupal.org/node/2445971", "name": "https://www.drupal.org/node/2445971", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://www.drupal.org/node/2449747", "name": "https://www.drupal.org/node/2449747", "tags": [], "refsource": "CONFIRM"}, {"url": "https://www.drupal.org/node/2452569", "name": "https://www.drupal.org/node/2452569", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6", "name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": [], "refsource": "MLIST"}, {"url": "http://www.securityfocus.com/bid/72953", "name": "72953", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-4364", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2015-06-15T14:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:campaign_monitor_project:campaign_monitor:7.x-1.0:*:*:*:*:drupal:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-06-27T01:29Z"}