Vulnerability Details : CVE-2013-7435
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
Vulnerability category: Information leak
Products affected by CVE-2013-7435
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
- cpe:2.3:a:evergreen-ils:evergreen:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-7435
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-7435
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2013-7435
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7435
-
https://bugs.launchpad.net/evergreen/+bug/1206589
Bug #1206589 “Credit Card Processor settings visible in LSE Hist...” : Bugs : EvergreenIssue Tracking;Patch
-
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
Issue Tracking;Release Notes
-
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
Issue Tracking;Release Notes
-
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063
git.evergreen-ils.org Git - Evergreen.git/commitPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2015/03/04/3
oss-security - Re: CVE request - EvergreenMailing List;Issue Tracking;Third Party Advisory
-
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
Issue Tracking;Release Notes
-
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
SECURITY RELEASES: Evergreen 2.7.4, 2.6.7, and 2.5.9 – Evergreen ILSIssue Tracking;Release Notes
Jump to