#VU7260 Information disclosure in SMTP Authentication Support

Cybersecurity Help s.r.o.

Published: 2017-06-28 | Updated: 2017-06-30

Vulnerability identifier: #VU7260

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SMTP Authentication Support
Web applications / Modules and components for CMS

Vendor: Chuva Inc.

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability resides within the SMTP Authentication Support module for Drupal, when configured to run in debug mode. The modules logs sensitive information, which can be accessible by remote unauthenticated users.

Mitigation
Update to version 7.x-1.7 or 8.x-1.0-beta3.

Vulnerable software versions

SMTP Authentication Support: 7.x-1.0 - 8.x-1.0-beta2

External links
https://www.drupal.org/node/2890357

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in SMTP Authentication Support module for Drupal