Vulnerability Details : CVE-2015-3404
The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."
Vulnerability category: Information leak
Products affected by CVE-2015-3404
- cpe:2.3:a:certify_project:certify:6.x-2.2:*:*:*:*:drupal:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-3404
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3404
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2015-3404
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3404
-
http://www.openwall.com/lists/oss-security/2015/01/29/6
oss-security - Re: CVEs for Drupal contributed modules - January 2015
-
http://www.openwall.com/lists/oss-security/2015/04/21/8
oss-security - Re: Re: CVEs for Drupal contributed modules - January 2015
-
https://www.drupal.org/node/2415947
Access to this page has been denied.Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/74282
Drupal Certify Module Access Bypass and Information Disclosure Vulnerabilities
-
https://www.drupal.org/node/2407081
Access to this page has been denied.Patch
Jump to