CVE-2015-4398 - OpenCVE

Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Chaos Tool Suite Project	Ctools

Configuration 1 [-]

OR	cpe:2.3:a:chaos_tool_suite_project:ctools::::::drupal::*
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.0:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.1:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.2:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.3:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.4:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.5:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:::::drupal::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/03/22/35
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/73224
https://www.drupal.org/node/2454883	Patch
https://www.drupal.org/node/2454885	Patch
https://www.drupal.org/node/2454909	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-16T17:00:00

Updated: 2015-06-17T17:57:00

Reserved: 2015-06-05T00:00:00

Link: CVE-2015-4398

JSON object: View

NVD Information

Status : Analyzed

Published: 2015-06-16T17:59:00.973

Modified: 2015-06-25T16:26:28.393

Link: CVE-2015-4398

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-18T00:00:00", "descriptions": [{"lang": "en", "value": "Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-06-17T17:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2454885"}, {"name": "73224", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/73224"}, {"name": "[oss-security] 20150322 CVE requests for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2454909"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2454883"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2454885", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2454885"}, {"name": "73224", "refsource": "BID", "url": "http://www.securityfocus.com/bid/73224"}, {"name": "[oss-security] 20150322 CVE requests for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"name": "https://www.drupal.org/node/2454909", "refsource": "MISC", "url": "https://www.drupal.org/node/2454909"}, {"name": "https://www.drupal.org/node/2454883", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2454883"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4398", "datePublished": "2015-06-16T17:00:00", "dateReserved": "2015-06-05T00:00:00", "dateUpdated": "2015-06-17T17:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "468543BB-7BF6-422C-A775-B0741E866577", "versionEndIncluding": "6.x-1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "5FA4E46D-F7D9-448D-B971-D8EE786EB3AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "EFA33F20-D932-42F3-84B0-9E55645D64D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "F56B3706-6AF5-42C9-A565-882AE03ADA9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "7683107F-23E1-4220-91FA-CFCDD2129AE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.4:*:*:*:*:drupal:*:*", "matchCriteriaId": "698747A0-461D-409B-B9DE-9059CCF81AA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.5:*:*:*:*:drupal:*:*", "matchCriteriaId": "05D4A651-2FFE-42D1-8412-4C3C4098995F", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:*:*:*:*:drupal:*:*", "matchCriteriaId": "FF5CE8CA-69E1-465A-9F16-C96FB1E0F564", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages."}, {"lang": "es", "value": "Vulnerabilidad de redirecci\u00f3n abierta en el m\u00f3dulo Chaos tool suite (ctools) anterior a 6.x-1.12 y 7.x-1.x anterior a 7.x-1.7 para Drupal permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a trav\u00e9s de vectores no especificados que involucra las p\u00e1ginas de la eliminaci\u00f3n de de confirmaciones en proceso."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/601.html\">CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a>", "id": "CVE-2015-4398", "lastModified": "2015-06-25T16:26:28.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-06-16T17:59:00.973", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/73224"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2454883"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2454885"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2454909"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}