Vulnerability CVE-2009-2077

Vulnerability Name:

CVE-2009-2077 (CCN-51058)

Assigned:

2009-06-10

Published:

2009-06-10

Updated:

2009-06-19

Summary:

Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2009-2077

Source: CCN
Type: DRUPAL-SA-CONTRIB-2009-037
SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/488068

Source: CONFIRM
Type: Patch, Vendor Advisory
http://drupal.org/node/488082

Source: CCN
Type: LAMP Security Web site
Drupal 6 Views Module XSS Vulnerability

Source: CCN
Type: SA35425
Drupal Views Module Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
35425

Source: BID
Type: Patch
35304

Source: CCN
Type: BID-35304
Drupal Views Module Multiple Security Bypass and HTML Injection Vulnerabilities

Source: XF
Type: UNKNOWN
views-content-security-bypass(51058)

Vulnerable Configuration:

Configuration 1:

cpe:/a:angrydonuts:views:6.x-2.0:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:alpha1:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:alpha2:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:alpha3:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:alpha4:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:alpha5:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:beta1:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:beta2:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:beta3:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:beta4:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:rc1:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:rc2:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:rc3:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:rc4:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.0:rc5:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.1:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.2:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.3:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.4:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.5:*:*:*:*:*:*:*

OR cpe:/a:angrydonuts:views:6.x-2.x:dev:*:*:*:*:*:*

AND

cpe:/a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:views_project:views:6.x-2.1:*:*:*:*:drupal:*:*

OR cpe:/a:views_project:views:6.x-2.0:-:*:*:*:drupal:*:*

OR cpe:/a:views_project:views:6.x-2.2:*:*:*:*:drupal:*:*

OR cpe:/a:views_project:views:6.x-2.3:*:*:*:*:drupal:*:*

OR cpe:/a:views_project:views:6.x-2.4:*:*:*:*:drupal:*:*

OR cpe:/a:views_project:views:6.x-2.5:*:*:*:*:drupal:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2009-2077 (CCN-51059)

Assigned:

2009-06-10

Published:

2009-06-10

Updated:

2009-06-19

Summary:

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2009-2077

Source: CCN
Type: DRUPAL-SA-CONTRIB-2009-037
SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities

Source: CCN
Type: LAMP Security Web site
Drupal 6 Views Module XSS Vulnerability

Source: CCN
Type: SA35425
Drupal Views Module Multiple Vulnerabilities

Source: CCN
Type: BID-35304
Drupal Views Module Multiple Security Bypass and HTML Injection Vulnerabilities

Source: XF
Type: UNKNOWN
views-queries-security-bypass(51059)

BACK