CVE-2012-1626 - OpenCVE

SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Karen Stevenson	Date
Drupal	Drupal

Configuration 1 [-]

AND

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

OR	cpe:2.3:a:karen_stevenson:date:6.x-2.0:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta2::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta3::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta4::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc1::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc2::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc3::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc4::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc5::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc6::::::
	cpe:2.3:a:karen_stevenson:date:6.x-2.1:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.2:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.3:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.4:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.5:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.6:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.7:::::::*
	cpe:2.3:a:karen_stevenson:date:6.x-2.x:dev::::::

References

Link	Resource
http://drupal.org/node/1401026	Patch
http://drupal.org/node/1401434	Patch Vendor Advisory
http://osvdb.org/78261
http://secunia.com/advisories/47533	Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/04/07/1
http://www.securityfocus.com/bid/51378
https://exchange.xforce.ibmcloud.com/vulnerabilities/72356

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2012-09-20T01:00:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-03-12T00:00:00

Link: CVE-2012-1626

JSON object: View

NVD Information

Status : Modified

Published: 2012-09-20T03:46:36.163

Modified: 2017-08-29T01:31:20.023

Link: CVE-2012-1626

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-01-11T00:00:00", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the \"administer Date Tools\" privilege to execute arbitrary SQL commands via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/1401026"}, {"name": "47533", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/47533"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"name": "78261", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/78261"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/1401434"}, {"name": "date-event-sql-injection(72356)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72356"}, {"name": "51378", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/51378"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-1626", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the \"administer Date Tools\" privilege to execute arbitrary SQL commands via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://drupal.org/node/1401026", "refsource": "CONFIRM", "url": "http://drupal.org/node/1401026"}, {"name": "47533", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/47533"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"name": "78261", "refsource": "OSVDB", "url": "http://osvdb.org/78261"}, {"name": "http://drupal.org/node/1401434", "refsource": "CONFIRM", "url": "http://drupal.org/node/1401434"}, {"name": "date-event-sql-injection(72356)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72356"}, {"name": "51378", "refsource": "BID", "url": "http://www.securityfocus.com/bid/51378"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-1626", "datePublished": "2012-09-20T01:00:00", "dateReserved": "2012-03-12T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:*:*:*:*:*:*:*", "matchCriteriaId": "F3F26B0B-F3C3-45BF-90F8-0F3EAB5F2C17", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta:*:*:*:*:*:*", "matchCriteriaId": "93AFC0CD-7E4F-45FF-9357-798E872439AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "88598EA8-68DF-4102-80B7-FC23AC1CC6BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "1CB5C35D-E0F1-4A4C-A424-4F0F21A7539A", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "169D878F-D3FD-456B-BC94-073C8000D8AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "BB57869E-0886-4770-B26B-E1D8542B5C9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8C5BDB03-7356-4522-BD20-6322D726EDD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "77038900-2F18-42E7-8E45-7C1A7E3AE1B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "A922CA8F-2AAD-4842-9887-D3D4BCE6868C", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "17BA84A3-E818-482F-9B33-32C709BFE21B", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "FA0D09CD-F116-4186-9F60-EC44AB22CA55", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.1:*:*:*:*:*:*:*", "matchCriteriaId": "20844EE0-6771-45FE-8B4E-AA9462488F3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.2:*:*:*:*:*:*:*", "matchCriteriaId": "B4DF0E66-9076-4535-B42E-326A9A6C0D7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.3:*:*:*:*:*:*:*", "matchCriteriaId": "66A81A03-2FB3-421A-B2C4-5D6F5C0844A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.4:*:*:*:*:*:*:*", "matchCriteriaId": "C1BE2026-7C26-406C-8A00-A27FF8E6BB1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.5:*:*:*:*:*:*:*", "matchCriteriaId": "FAD8C299-2A11-453B-A344-300CD6D8DDCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.6:*:*:*:*:*:*:*", "matchCriteriaId": "9505DDFE-9D2B-48F8-8FDF-D362491D79D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.7:*:*:*:*:*:*:*", "matchCriteriaId": "38F9DB2F-5060-4DE9-B31D-83315F55A466", "vulnerable": true}, {"criteria": "cpe:2.3:a:karen_stevenson:date:6.x-2.x:dev:*:*:*:*:*:*", "matchCriteriaId": "0E8D5868-D414-43C0-9C4A-D855C9F3C187", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the \"administer Date Tools\" privilege to execute arbitrary SQL commands via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en formulario de conversi\u00f3n para Eventos en el m\u00f3dulo Fecha v6.x-2.x antes de v6.x-2.8 para Drupal permite ejecutar comandos SQL a usuarios remotos autenticados con el privilegio \"administrar Fecha de Herramientas\" a trav\u00e9s de vectores no especificados.\r\n"}], "id": "CVE-2012-1626", "lastModified": "2017-08-29T01:31:20.023", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-09-20T03:46:36.163", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://drupal.org/node/1401026"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/1401434"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/78261"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/47533"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/51378"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72356"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}