CVE-2015-4364 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Campaign Monitor Project	Campaign Monitor

Configuration 1 [-]

cpe:2.3:a:campaign_monitor_project:campaign_monitor:7.x-1.0:*:*:*:*:drupal:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/72953
https://www.drupal.org/node/2445971	Patch Vendor Advisory
https://www.drupal.org/node/2449747
https://www.drupal.org/node/2452569	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-15T14:00:00

Updated: 2018-06-26T03:57:01

Reserved: 2015-06-05T00:00:00

Link: CVE-2015-4364

JSON object: View

NVD Information

Status : Modified

Published: 2015-06-15T14:59:19.590

Modified: 2018-06-27T01:29:00.340

Link: CVE-2015-4364

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-26T03:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2452569"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2449747"}, {"name": "72953", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72953"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2445971"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4364", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2452569", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2452569"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"name": "https://www.drupal.org/node/2449747", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2449747"}, {"name": "72953", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72953"}, {"name": "https://www.drupal.org/node/2445971", "refsource": "MISC", "url": "https://www.drupal.org/node/2445971"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4364", "datePublished": "2015-06-15T14:00:00", "dateReserved": "2015-06-05T00:00:00", "dateUpdated": "2018-06-26T03:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:campaign_monitor_project:campaign_monitor:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "2DEC20DD-36E4-4AF2-A451-3F75C94EFB90", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site)."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades Cross-Site Request Forgery (CSRF) en includes/campaignmonitor_lists.admin.inc en el m\u00f3dulo Campaign Monitor 7.x-1.0 para Drupal permite que los atacantes remotos secuestren la autenticaci\u00f3n de usuarios para las peticiones que (1) permiten suscripciones de listas mediante una petici\u00f3n a admin/config/services/campaignmonitor/lists/%/enable o (2) deshabilitan las suscripciones de listas mediante una petici\u00f3n a admin/config/services/campaignmonitor/lists/%/disable. NOTA: esto se refiera a un problema en un m\u00f3dulo de Drupal desarrollado de manera independiente y NO en el software Campaign Monitor (descrito en el sitio web campaignmonitor.com)."}], "id": "CVE-2015-4364", "lastModified": "2018-06-27T01:29:00.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-06-15T14:59:19.590", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/72953"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2445971"}, {"source": "cve@mitre.org", "url": "https://www.drupal.org/node/2449747"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2452569"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}