CVE-2013-4226
Medium
Low
Medium
High
Critical
6.5
CVSS Score
Vulnerability Description
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
U
Confidentiality
H
Integrity
N
Availability
N
Known Affected Software
6 configuration(s) from 1 vendor(s)
authenticated_user_page_caching
Version:
7.x-1.3
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.3:*:*:*:*:drupal:*:*
authenticated_user_page_caching
Version:
7.x-1.5
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.5:*:*:*:*:drupal:*:*
authenticated_user_page_caching
Version:
7.x-1.0
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.0:*:*:*:*:drupal:*:*
authenticated_user_page_caching
Version:
7.x-1.1
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.1:*:*:*:*:drupal:*:*
authenticated_user_page_caching
Version:
7.x-1.4
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.4:*:*:*:*:drupal:*:*
authenticated_user_page_caching
Version:
7.x-1.2
CPE:
cpe:2.3:a:drupal:authenticated_user_page_caching:7.x-1.2:*:*:*:*:drupal:*:*
This vulnerability affects 6 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://www.openwall.com/lists/oss-security/2013/08/10/1secalert@redhat.com Mailing List Third Party Advisory
-
https://drupal.org/node/2058165secalert@redhat.com Release Notes Vendor Advisory
-
https://drupal.org/node/2059589secalert@redhat.com Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2013/08/10/1af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://drupal.org/node/2058165af854a3a-2127-422b-91ae-364da2661108 Release Notes Vendor Advisory
-
https://drupal.org/node/2059589af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
Severity Details
6.5
out of 10.0
Medium
Weakness Type (CWE)
CWE-862
Top 25 #8
Missing Authorization
- Description
- The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- Exploit Likelihood
- High
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Class
Key Information
- Published Date
- February 18, 2020
