Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-069

HistoryMay 02, 2012 - 12:00 a.m.

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

2012-05-0200:00:00

Drupal Security Team

www.drupal.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.002

Percentile

52.8%

JSON

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

For the SQL Injection issue -
CVE: CVE-2012-2306
For the CSRF issue -
CVE: CVE-2012-2307

Versions affected

6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by

Michael Hess of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/addressbook

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/102818

drupal.org/writing-secure-code

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.002

Percentile

52.8%

JSON

Related for DRUPAL-SA-CONTRIB-2012-069