CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%
CVE: CVE-2012-1628
SuperCron is a complete replacement for Drupal’s built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with “access administration pages” permission.
CVE: CVE-2012-1629
Taxotouch helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.
CVE: CVE-2012-1630
Taxonomy Navigatorshows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.
CVE: CVE-2012-1631
Admin:hover allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.
All versions of all four modules are affected by vulnerabilities.
Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.
Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process
No fixes created.
drupal.org/contact
drupal.org/node/101494
drupal.org/node/251466
drupal.org/project/admin_hover
drupal.org/project/supercron
drupal.org/project/taxonomy_navigator
drupal.org/project/taxotouch
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/383424
drupal.org/user/96647
drupal.org/writing-secure-code