Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2015-109

HistoryMay 20, 2015 - 12:00 a.m.

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

2015-05-2000:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.1%

JSON

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file.

The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users.

CVE identifier(s) issued

CVE-2015-5496

Versions affected

All versions of pass2pdf module

Drupal core is not affected. If you do not use the contributed pass2pdf module,
there is nothing you need to do.

Solution

If you use the pass2pdf module you should uninstall it.

Also see the pass2pdf project page.

Reported by

Sam Becker

Fixed by

Not applicable.

Coordinated by

Pere Orga of the Drupal Security Team

References

twitter.com/drupalsecurity

www.drupal.org/contact

www.drupal.org/project/pass2pdf

www.drupal.org/security-team

www.drupal.org/security-team/risk-levels

www.drupal.org/security/secure-configuration

www.drupal.org/user/1485048

www.drupal.org/user/2301194

www.drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.1%

JSON

Related for DRUPAL-SA-CONTRIB-2015-109