Vulnerability Name:

CVE-2015-7875 (CCN-130512)

Assigned:2015-08-19
Published:2015-08-19
Updated:2017-09-29
Summary:ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2015-7875

Source: CCN
Type: IBM Security Bulletin 2008323 (API Connect)
API Connect Portal is affected by multiple Drupal vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2008902 (API Connect)
API Connect Portal is affected by multiple Drupal vulnerabilities

Source: CCN
Type: oss-sec Mailing List, Wed, 21 Oct 2015 11:50:44 +0000
Re: CVE Requests for Drupal contributed modules

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20151021 Re: CVE Requests for Drupal contributed modules (from SA-CONTRIB-2015-132 to SA-CONTRIB-2015-156)

Source: BID
Type: UNKNOWN
76441

Source: CCN
Type: BID-76441
Drupal Ctools Module Cross Site Scripting and Access Bypass Vulnerabilities

Source: XF
Type: UNKNOWN
drupal-cve20157875-sec-bypass(130512)

Source: CCN
Type: Drupal Security Advisory:SA-CONTRIB-2015-141
Ctools - Critical - Multiple Vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
https://www.drupal.org/node/2554145

Vulnerable Configuration:Configuration 1:
  • cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:alpha1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:alpha2:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:alpha3:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:beta1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:beta2:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:beta3:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:beta4:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.0:rc1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.1:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.2:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.3:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.4:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.5:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.6:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.7:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.8:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.9:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.11:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.12:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.13:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:6.x-1.x:dev:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:alpha1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:alpha2:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:alpha3:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:alpha4:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:beta1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:rc1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.0:rc2:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.1:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.2:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.3:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.4:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.5:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.6:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.6:rc1:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.7:*:*:*:*:drupal:*:*
  • OR cpe:/a:chaos_tool_suite_project:ctools:7.x-1.x:dev:*:*:*:drupal:*:*

    • * Denotes that component is vulnerable
    BACK
    chaos_tool_suite_project ctools 6.x-1.0
    chaos_tool_suite_project ctools 6.x-1.0 alpha1
    chaos_tool_suite_project ctools 6.x-1.0 alpha2
    chaos_tool_suite_project ctools 6.x-1.0 alpha3
    chaos_tool_suite_project ctools 6.x-1.0 beta1
    chaos_tool_suite_project ctools 6.x-1.0 beta2
    chaos_tool_suite_project ctools 6.x-1.0 beta3
    chaos_tool_suite_project ctools 6.x-1.0 beta4
    chaos_tool_suite_project ctools 6.x-1.0 rc1
    chaos_tool_suite_project ctools 6.x-1.1
    chaos_tool_suite_project ctools 6.x-1.2
    chaos_tool_suite_project ctools 6.x-1.3
    chaos_tool_suite_project ctools 6.x-1.4
    chaos_tool_suite_project ctools 6.x-1.5
    chaos_tool_suite_project ctools 6.x-1.6
    chaos_tool_suite_project ctools 6.x-1.7
    chaos_tool_suite_project ctools 6.x-1.8
    chaos_tool_suite_project ctools 6.x-1.9
    chaos_tool_suite_project ctools 6.x-1.11
    chaos_tool_suite_project ctools 6.x-1.12
    chaos_tool_suite_project ctools 6.x-1.13
    chaos_tool_suite_project ctools 6.x-1.x dev
    chaos_tool_suite_project ctools 7.x-1.0
    chaos_tool_suite_project ctools 7.x-1.0 alpha1
    chaos_tool_suite_project ctools 7.x-1.0 alpha2
    chaos_tool_suite_project ctools 7.x-1.0 alpha3
    chaos_tool_suite_project ctools 7.x-1.0 alpha4
    chaos_tool_suite_project ctools 7.x-1.0 beta1
    chaos_tool_suite_project ctools 7.x-1.0 rc1
    chaos_tool_suite_project ctools 7.x-1.0 rc2
    chaos_tool_suite_project ctools 7.x-1.1
    chaos_tool_suite_project ctools 7.x-1.2
    chaos_tool_suite_project ctools 7.x-1.3
    chaos_tool_suite_project ctools 7.x-1.4
    chaos_tool_suite_project ctools 7.x-1.5
    chaos_tool_suite_project ctools 7.x-1.6
    chaos_tool_suite_project ctools 7.x-1.6 rc1
    chaos_tool_suite_project ctools 7.x-1.7
    chaos_tool_suite_project ctools 7.x-1.x dev