CVE-2015-5490 : The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebu

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

Published 2015-08-18 17:59:32

Updated 2016-11-28 19:33:49

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2015-5490

Probability of exploitation activity in the next 30 days: 0.79%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-5490

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2015-5490

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-5490

http://www.securityfocus.com/bid/74462

Drupal Views Module Access Bypass Vulnerability
http://cgit.drupalcode.org/views/commit/?id=cef693b

Issue by das-peter: Ensure that we do not end up with broken views data cache entries. (cef693bc) · Commits · project / views · GitLab
http://www.openwall.com/lists/oss-security/2015/07/04/4

oss-security - CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)

CVEs referencing this url
https://www.drupal.org/node/2480327

Access to this page has been denied.
Patch;Vendor Advisory
https://www.drupal.org/node/2475669

Access to this page has been denied.
Exploit
https://www.drupal.org/node/2480259

Access to this page has been denied.
Patch

Products affected by CVE-2015-5490

Views Project » Views » Version: 7.x-3.6 For Drupal
cpe:2.3:a:views_project:views:7.x-3.6:*:*:*:*:drupal:*:*
Matching versions
Views Project » Views » Version: 7.x-3.7 For Drupal
cpe:2.3:a:views_project:views:7.x-3.7:*:*:*:*:drupal:*:*
Matching versions
Views Project » Views » Version: 7.x-3.8 For Drupal
cpe:2.3:a:views_project:views:7.x-3.8:*:*:*:*:drupal:*:*
Matching versions
Views Project » Views » Version: 7.x-3.5 For Drupal
cpe:2.3:a:views_project:views:7.x-3.5:*:*:*:*:drupal:*:*
Matching versions
Views Project » Views » Version: 7.x-3.10 For Drupal
cpe:2.3:a:views_project:views:7.x-3.10:*:*:*:*:drupal:*:*
Matching versions

Vulnerability Details : CVE-2015-5490

Exploit prediction scoring system (EPSS) score for CVE-2015-5490

CVSS scores for CVE-2015-5490

CWE ids for CVE-2015-5490

References for CVE-2015-5490

Products affected by CVE-2015-5490