CVE-2013-4445
Vulnerability from cvelistv5
Published
2013-12-07 20:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2013-20965",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/2113317"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/2112785"
},
{
"name": "FEDORA-2013-20942",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html"
},
{
"name": "FEDORA-2013-20976",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/2112791"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal\u0027s token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-12-07T19:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2013-20965",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/2113317"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/2112785"
},
{
"name": "FEDORA-2013-20942",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html"
},
{
"name": "FEDORA-2013-20976",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/2112791"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4445",
"datePublished": "2013-12-07T20:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-4445\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-12-07T20:55:02.350\",\"lastModified\":\"2013-12-09T17:36:41.620\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal\u0027s token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access.\"},{\"lang\":\"es\",\"value\":\"La funcionalidad de renderizaci\u00f3n de json en el m\u00f3dulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para restringir el acceso a bloques, lo cual facilita a usuarios autenticados remotamente adivinar el token de acceso para un bloque aprovechando el token de un bloque al cual el usuario tiene acceso.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.9},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5502A2B-D8D1-4BC9-8902-C9F9A8C2AF6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B2438DF-817D-46D4-885D-CF6052BF4166\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBF39898-9E79-4B1C-BC00-B37CCA30088B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"3BA71873-1CCC-4447-8C98-31FDA002AAEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"7DFE54DF-B6F2-4ECF-9283-DA3836D1DDAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"4274C682-9E48-432D-9CA2-5CDB054864DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBBBDCEA-521C-46D1-9A35-2EA3234A3E6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"68C704EE-E219-453C-BFE5-2B1E607B588A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"26EA9E05-CE12-4D64-A766-ED60D20C3923\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"903398AF-285F-4255-95B7-3FE4270AECF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"F892763E-1C37-46D9-9DE3-3FC73F11F628\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-2.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA264F98-0DE6-4B10-B0F4-B560A6C91D1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D86EDBB-DCFA-4D50-99DB-8ACF1ACF66EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBF14829-B6B3-4877-958E-2AC0C9CD181C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E92FBFA-798C-4F62-BFDE-4FCC4F96444A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F8BB94F-5BC4-407B-92BF-EB12DB73C56A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABEE4DD6-6B08-4ED4-A83D-CBA80876A471\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"939DE81A-B5CB-4DDE-BC0A-91AB98EB0F33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE4F00D3-9E8A-4252-B89A-86DF14152CFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"C4F9F796-E4E3-41E8-9116-39818B2F0560\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6940D10-57DE-4DA6-B74D-3BF557887B77\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"048EC726-6508-4660-8C3C-8A9D44C33FEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"866D9923-EB35-450B-847E-EE4E7F2512CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"40277B77-BF40-452C-B5E6-4EC603C1D939\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2BE52A3-4D15-4F57-AA4D-DF6EEAE9AD6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2223B9D6-4FF5-49E2-A962-C919225E23F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:6.x-3.x:dev:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB8C63F8-2BA6-44CD-82F7-C97E95D9CDCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5408D146-CFED-4566-90D0-521789B9D491\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"F614AFDF-29FA-4E5B-9FC7-85A3EA70405D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3A5E0DB-594C-463A-BF78-55C0C658F156\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA0E624D-E541-4F8A-A3C1-7EDCEA909AE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7944EE0-1B4A-4604-931E-C2B656B0A160\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"41454A9D-59CC-480B-A47D-3E4FB090A9F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2012981-AFDD-49EF-83BA-6C7A906A0E85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"F93CC5BA-E98C-44CB-96E9-35793967A5AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"704732A4-AF57-4D12-AFE5-C503C84550F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A1C4CCE-000D-40A7-8EB6-88C29429F28F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:steven_jones:context:7.x-3.x:dev:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B5A5504-DD90-47A1-BB7F-5B9648ABA097\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8B1170D-AD33-4C7A-892D-63AC71B032CF\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://drupal.org/node/2112785\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://drupal.org/node/2112791\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://drupal.org/node/2113317\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.