Lucene search

[email protected]CVE-2014-3453

HistoryMay 17, 2014 - 7:55 p.m.

CVE-2014-3453

2014-05-1719:55:03

CWE-94

[email protected]

web.nvd.nist.gov

cve

2014

3453

eval injection vulnerability

flag module

drupal

remote code execution

security warning

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.5 High

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

74.4%

JSON

Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the “Flag import code” text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.

Affected configurations

NVD

Node

flag_module_projectflagRange≤7.x-3.5drupal

flag_module_projectflagMatch7.x-3.0-drupal

flag_module_projectflagMatch7.x-3.0alpha1drupal

flag_module_projectflagMatch7.x-3.0alpha2drupal

flag_module_projectflagMatch7.x-3.0alpha3drupal

flag_module_projectflagMatch7.x-3.0alpha4drupal

flag_module_projectflagMatch7.x-3.0beta1drupal

flag_module_projectflagMatch7.x-3.0rc1drupal

flag_module_projectflagMatch7.x-3.1drupal

flag_module_projectflagMatch7.x-3.2drupal

flag_module_projectflagMatch7.x-3.3drupal

flag_module_projectflagMatch7.x-3.4drupal

flag_module_projectflagMatch7.x-3.xdevdrupal

CPENameOperatorVersion
flag_module_project:flagflag module project flagle7.x-3.5
flag_module_project:flagflag module project flageq7.x-3.0
flag_module_project:flagflag module project flageq7.x-3.1
flag_module_project:flagflag module project flageq7.x-3.2
flag_module_project:flagflag module project flageq7.x-3.3
flag_module_project:flagflag module project flageq7.x-3.4
flag_module_project:flagflag module project flageq7.x-3.x

CPE	Name	Operator	Version
flag_module_project:flag	flag module project flag	le	7.x-3.5
flag_module_project:flag	flag module project flag	eq	7.x-3.0
flag_module_project:flag	flag module project flag	eq	7.x-3.1
flag_module_project:flag	flag module project flag	eq	7.x-3.2
flag_module_project:flag	flag module project flag	eq	7.x-3.3
flag_module_project:flag	flag module project flag	eq	7.x-3.4
flag_module_project:flag	flag module project flag	eq	7.x-3.x