Vulnerability Name:

CVE-2012-2721 (CCN-76150)

Assigned:2012-06-06
Published:2012-06-06
Updated:2017-08-29
Summary:The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possibly have other unspecified impact.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2012-2721

Source: CONFIRM
Type: Patch
http://drupal.org/node/1619736

Source: CCN
Type: SA-CONTRIB-2012-092
Organic Groups - Cross Site Scripting (XSS) and Access Bypass

Source: MISC
Type: Patch, Vendor Advisory
http://drupal.org/node/1619810

Source: CCN
Type: Organic Groups module for Drupal Web Site
Organic groups | drupal.org

Source: CONFIRM
Type: Exploit, Patch
http://drupalcode.org/project/og.git/commitdiff/1485708

Source: CCN
Type: SA49397
Drupal Organic Groups Module Security Bypass and Script Insertion Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
49397

Source: MLIST
Type: UNKNOWN
[oss-security] 20120613 Re: CVE Request for Drupal contributed modules

Source: OSVDB
Type: UNKNOWN
82728

Source: CCN
Type: OSVDB ID: 82728
Organic Groups Module for Drupal access content Permission Verification Access Restriction Bypass

Source: BID
Type: UNKNOWN
53838

Source: CCN
Type: BID-53838
Drupal Organic Groups Module Cross Site Scripting and Security Bypass Vulnerabilities

Source: XF
Type: UNKNOWN
organicgroups-permission-security-bypass(76150)

Source: XF
Type: UNKNOWN
organicgroups-permission-security-bypass(76150)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:moshe_weitzman:organic_groups:6.x-2.0:*:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.1:*:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.2:*:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.3:*:*:*:*:*:*:*
  • OR cpe:/a:moshe_weitzman:organic_groups:6.x-2.x:dev:*:*:*:*:*:*
  • AND
  • cpe:/a:drupal:drupal:-:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    moshe_weitzman organic groups 6.x-2.0
    moshe_weitzman organic groups 6.x-2.0 rc1
    moshe_weitzman organic groups 6.x-2.0 rc2
    moshe_weitzman organic groups 6.x-2.0 rc3
    moshe_weitzman organic groups 6.x-2.1
    moshe_weitzman organic groups 6.x-2.2
    moshe_weitzman organic groups 6.x-2.3
    moshe_weitzman organic groups 6.x-2.x dev
    drupal drupal -