CVE-2015-4364

15.06.2015, 14:59

Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:P/I:P/A:P
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Vendor	Product	Version
campaign_monitor_project	campaign_monitor	7.x-1.0:x

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

http://www.openwall.com/lists/oss-security/2015/04/25/6

http://www.securityfocus.com/bid/72953

https://www.drupal.org/node/2445971

https://www.drupal.org/node/2449747

https://www.drupal.org/node/2452569

http://www.openwall.com/lists/oss-security/2015/04/25/6

http://www.securityfocus.com/bid/72953

https://www.drupal.org/node/2445971

https://www.drupal.org/node/2449747

https://www.drupal.org/node/2452569