Vulnerability CVE-2010-3022 - CERT Civis.Net

Vulnerability Name:

CVE-2010-3022 (CCN-60905)

Assigned:

2010-08-04

Published:

2010-08-04

Updated:

2017-08-17

Summary:

Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL.

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
1.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-3022

Source: CONFIRM
Type: UNKNOWN
http://drupal.org/node/874116

Source: CONFIRM
Type: Patch
http://drupal.org/node/874130

Source: CCN
Type: SA-CONTRIB-2010-079
Devel (Performance logging) - Cross Site Scripting

Source: CONFIRM
Type: Patch
http://drupal.org/node/874132

Source: CCN
Type: Drupal Web site
Devel | drupal.org

Source: OSVDB
Type: UNKNOWN
66889

Source: CCN
Type: SA40844
Drupal Devel (Performance logging) Module Script Insertion Vulnerability

Source: SECUNIA
Type: Vendor Advisory
40844

Source: CCN
Type: OSVDB ID: 66889
Devel (Performance logging) Module for Drupal Unspecified XSS

Source: BID
Type: Patch
42231

Source: CCN
Type: BID-42231
Drupal Devel (Performance logging) Module Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
devel-nodepath-xss(60905)

Source: XF
Type: UNKNOWN
devel-nodepath-xss(60905)

Vulnerable Configuration:

Configuration 1:

cpe:/a:drupal:devel_module:5.x-1.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:5.x-1.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:5.x-1.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:*:*:*:*:*:*:*:* (Version <= 5x-1.2)

OR cpe:/a:drupal:devel_module:6.x-1.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.4:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.5:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.6:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.7:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.8:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.9:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.10:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.11:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.12:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.13:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.14:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.15:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.16:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.17:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.18:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:6.x-1.19:*:*:*:*:*:*:*

OR cpe:/a:drupal:devel_module:*:*:*:*:*:*:*:* (Version <= 6.x-1.20)

Configuration CCN 1:

cpe:/a:drupal:devel_module:6.x-1.2:*:*:*:*:*:*:*

Denotes that component is vulnerable