Fedora EPEL 7 update for drupal7
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2015-3231 CVE-2015-3232 CVE-2015-3233 CVE-2015-3234 |
| CWE-ID | CWE-200 CWE-601 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system drupal7 Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU434
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-3231
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a non-privileged user to get access to user's private information.
The weakness is caused by cache system sites. Private cache of one of the users may be seen by other non-privileged users.
Successful exploitation of this vulnerability will allow a malicious user to obtain valid user's personal data.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.38-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Open redirect
EUVDB-ID: #VU432
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-3232
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a malicious user to perform potential social engineering attacks.
The weakness exists due to using of "destinations" query string parameter in malicious purposes. A remote attacker can trick the valid user into using of specially constructed URL for redirecting a victim to a 3rd party website.
Successful exploitation of this vulnerability may result in potential social engineering attacks.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.38-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Open redirect
EUVDB-ID: #VU433
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-3233
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.38-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Impersonation
EUVDB-ID: #VU431
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-3234
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows attackers to hijack valid users' accounts.
The weakness is caused by malicious user's possibility to log in as another user (even administrator) on the site that may provide him access to data.
Successful exploitation of this vulnerability may result in hijacking of target users' accounts.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 7
drupal7: before 7.38-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
