CVE-2015-3352 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to "report administration."

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jammer Project	Jammer

Configuration 1 [-]

cpe:2.3:a:jammer_project:jammer:*:*:*:*:*:drupal:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/01/29/6
http://www.securityfocus.com/bid/71958
https://www.drupal.org/node/2402745	Patch
https://www.drupal.org/node/2402749	Patch
https://www.drupal.org/node/2403487	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-04-21T16:00:00

Updated: 2016-12-02T20:57:01

Reserved: 2015-04-21T00:00:00

Link: CVE-2015-3352

JSON object: View

NVD Information

Status : Modified

Published: 2015-04-21T16:59:12.047

Modified: 2016-12-06T03:00:12.840

Link: CVE-2015-3352

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-07T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to \"report administration.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2403487"}, {"name": "71958", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71958"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2402745"}, {"name": "[oss-security] 20150129 Re: CVEs for Drupal contributed modules - January 2015", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/29/6"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2402749"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3352", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to \"report administration.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2403487", "refsource": "MISC", "url": "https://www.drupal.org/node/2403487"}, {"name": "71958", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71958"}, {"name": "https://www.drupal.org/node/2402745", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2402745"}, {"name": "[oss-security] 20150129 Re: CVEs for Drupal contributed modules - January 2015", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/29/6"}, {"name": "https://www.drupal.org/node/2402749", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2402749"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3352", "datePublished": "2015-04-21T16:00:00", "dateReserved": "2015-04-21T00:00:00", "dateUpdated": "2016-12-02T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jammer_project:jammer:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "A6C1B654-C7F9-4954-8CAE-98D6375E6475", "versionEndIncluding": "6.x-1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to \"report administration.\""}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en el m\u00f3dulo Jammer anterior a 6.x-1.8 y 7.x-1.x anterior a 7.x-1.4 para Drupal permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que eliminan una configuraci\u00f3n para (1) elementos de formulario escondidos o (2) mensajes de estado a trav\u00e9s de vectores no especificados, relacionado con 'administraci\u00f3n de informes.'"}], "id": "CVE-2015-3352", "lastModified": "2016-12-06T03:00:12.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-04-21T16:59:12.047", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/01/29/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/71958"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2402745"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2402749"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2403487"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}