Vulnerability CVE-2009-1037 - CERT Civis.Net

Vulnerability Name:

CVE-2009-1037 (CCN-49318)

Assigned:

2009-03-18

Published:

2009-03-18

Updated:

2009-03-26

Summary:

Unspecified vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to send unlimited spam messages via unknown vectors related to the flood control API.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2009-1037

Source: CCN
Type: DRUPAL-SA-CONTRIB-2009-012
SA-CONTRIB-2009-012 - Printer, e-mail and PDF versions - Unrestricted e-mailing (spam)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/406516

Source: OSVDB
Type: UNKNOWN
52785

Source: CCN
Type: SA34374
Drupal Print Module Security Bypass

Source: SECUNIA
Type: Vendor Advisory
34374

Source: CCN
Type: OSVDB ID: 52785
Send By E-mail Module for Drupal Flood Control API Security Bypass

Source: BID
Type: UNKNOWN
34173

Source: CCN
Type: BID-34173
Drupal Printer, e-mail and PDF versions Module Flood Control API Open Email Relay Vulnerability

Source: XF
Type: UNKNOWN
printeremailpdf-unspecified-mail-relay(49318)

Vulnerable Configuration:

Configuration 1:

cpe:/a:drupal:print:5.x:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-1.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-1.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-1.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-1.x-dev:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-2.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-2.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-2.x-dev:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.4:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.5:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.6:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-3.7:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-4.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-4.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-4.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-4.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:5.x-4.x:dev:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0-rc3:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0-rc4:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0-rc5:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0-rc8:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.0-rc9:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:print:6.x-1.x-dev:*:*:*:*:*:*:*

AND

cpe:/a:drupal:drupal:*:*:*:*:*:*:*:*

Denotes that component is vulnerable