Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-016

HistoryFeb 13, 2013 - 12:00 a.m.

SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported

2013-02-1300:00:00

Drupal Security Team

www.drupal.org

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.004 Low

EPSS

Percentile

73.2%

JSON

This module enables you to chat with the visitors of your web site.

The module doesn’t sufficiently check access to its admin pages.

This vulnerability is not mitigated.

CVE identifier(s) issued

CVE-2013-0318

Versions affected

All Banckle Chat 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Banckle Chat module, there is nothing you need to do.

Solution

Uninstall the module.

Also see the Banckle Chat project page.

Reported by

Wale Adesanya
Lau Futtrup Rasmussen

Fixed by

Not applicable.

Coordinated by

Gerhard Killesreiter of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/banckle_live_chat

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/1028156

drupal.org/user/83

drupal.org/writing-secure-code

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.004 Low

EPSS

Percentile

73.2%

JSON

Related for DRUPAL-SA-CONTRIB-2013-016