Vulnerability Details : CVE-2012-2073
The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified vectors.
Exploit prediction scoring system (EPSS) score for CVE-2012-2073
Probability of exploitation activity in the next 30 days: 0.43%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-2073
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2012-2073
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2073
-
http://drupal.org/node/1506420
Access to this page has been denied.Patch;Vendor Advisory
-
http://drupal.org/node/1506166
Access to this page has been denied.Patch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/74439
Bundle Copy module for Drupal use PHP for settings code execution CVE-2012-2073 Vulnerability Report
-
http://drupalcode.org/project/bundle_copy.git/commit/299bdca
Access to this page has been denied.
-
http://www.openwall.com/lists/oss-security/2012/04/07/1
oss-security - CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)
-
http://www.securityfocus.com/bid/52811
Drupal Bundle Copy Module Arbitrary PHP Code Execution Vulnerability
Products affected by CVE-2012-2073
- cpe:2.3:a:kristof_de_jaeger:bundle_copy:7.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:kristof_de_jaeger:bundle_copy:7.x-1.x:*:*:*:*:*:*:*