CVE-2014-9503 - OpenCVE

The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with "access content" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Open Atrium Project	Open Atrium

Configuration 1 [-]

OR	cpe:2.3:a:open_atrium_project:open_atrium::::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha1::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha2::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha3::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha4::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha5::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta1::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta2::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta3::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta4::::drupal::*
	cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:rc1::::drupal::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/01/04/6	Mailing List Issue Tracking Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/99656	Third Party Advisory VDB Entry
https://www.drupal.org/node/2394979	Mitigation Vendor Advisory
https://www.drupal.org/node/2395045	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-01T17:00:00

Updated: 2018-02-01T16:57:01

Reserved: 2015-01-03T00:00:00

Link: CVE-2014-9503

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-01T17:29:00.900

Modified: 2018-02-27T18:58:41.437

Link: CVE-2014-9503

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-17T00:00:00", "descriptions": [{"lang": "en", "value": "The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with \"access content\" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-01T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "openatrium-drupal-cve20149503-sec-bypass(99656)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99656"}, {"name": "[oss-security] 20150103 Re: CVE requests: Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/04/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2394979"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2395045"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9503", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with \"access content\" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openatrium-drupal-cve20149503-sec-bypass(99656)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99656"}, {"name": "[oss-security] 20150103 Re: CVE requests: Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/04/6"}, {"name": "https://www.drupal.org/node/2394979", "refsource": "MISC", "url": "https://www.drupal.org/node/2394979"}, {"name": "https://www.drupal.org/node/2395045", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2395045"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9503", "datePublished": "2018-02-01T17:00:00", "dateReserved": "2015-01-03T00:00:00", "dateUpdated": "2018-02-01T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "DE3C0F8F-550C-43E2-A68C-1232E5BB03D4", "versionEndExcluding": "7.x-2.26", "versionStartIncluding": "7.x-2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha1:*:*:*:drupal:*:*", "matchCriteriaId": "BF3160D6-D8F4-4492-B4BC-8CEBB30E8CF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha2:*:*:*:drupal:*:*", "matchCriteriaId": "9AFFF66B-966F-44E2-937A-A9AF4A8BA098", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha3:*:*:*:drupal:*:*", "matchCriteriaId": "4FBA852F-2C9D-4705-9EA8-7C92F97E0C49", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha4:*:*:*:drupal:*:*", "matchCriteriaId": "B2A658D4-DD9D-4409-B8BB-99989C1EFF96", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:alpha5:*:*:*:drupal:*:*", "matchCriteriaId": "8301DB55-6225-44F1-B277-4BAE410655FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta1:*:*:*:drupal:*:*", "matchCriteriaId": "606B1F8B-0AE4-4757-8558-EE197D9F60D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta2:*:*:*:drupal:*:*", "matchCriteriaId": "0EA8F582-1316-4470-90F7-A74387058CD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta3:*:*:*:drupal:*:*", "matchCriteriaId": "BBE88918-2639-4A51-AF85-8AA513FE807B", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:beta4:*:*:*:drupal:*:*", "matchCriteriaId": "B22E63ED-6B41-4DF5-9D70-444EA53F7E99", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_atrium_project:open_atrium:7.x-2.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "AB94D1CA-963D-4AF3-B0E4-4DC42D4CE736", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with \"access content\" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks."}, {"lang": "es", "value": "El subm\u00f3dulo Discussions en el m\u00f3dulo Open Atrium en versiones 7.x-2.x anteriores a las 7.x-2.26 para Drupal permite que los usuarios autenticados remotos con permisos \"access content\" modifiquen nodos arbitrarios aprovech\u00e1ndose de las comprobaciones de acceso incorrectas en llamadas de retorno ajax no especificadas."}], "id": "CVE-2014-9503", "lastModified": "2018-02-27T18:58:41.437", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-01T17:29:00.900", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Issue Tracking", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/04/6"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99656"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.drupal.org/node/2394979"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2395045"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}