Drupal Security TeamDRUPAL-SA-CONTRIB-2015-092Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
This module enables you to import content from a web page by scraping its Open Graph data.
The module doesn’t sufficiently check for “create” permission to the content type that is configured as the destination for imported content, thus allowing a user with the “import og_tag_importer” permission to create content regardless of other permissions.
CVE identifier(s) issued
- CVE-2015-4389
Versions affected
- og_tag_importer 7.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Open Graph Importer module,
there is nothing you need to do.
Solution
Disable the module. There is no safe version of the module to use.
Also see the Open Graph Importer project page.
Reported by
- Chang Xiao the module maintainer
- Cameron Eagans
Fixed by
Not applicable.
Coordinated by
- David Stoline of the Drupal Security Team
- Damien McKenna of the Drupal Security Team (provisional)
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/og_tag_importer
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/xcf33
www.drupal.org/user/108450
www.drupal.org/user/329570
www.drupal.org/user/404732
www.drupal.org/writing-secure-code
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%