CVE-2015-4391

EUVD-2015-4414
Cross-site request forgery (CSRF) vulnerability in the CiviCRM private report module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of users for requests that delete reports via unspecified vectors.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Affected Products (NVD)
VendorProductVersion
civicrmcivicrm_private_report
6.x-1.0:x
civicrmcivicrm_private_report
6.x-1.1:x
civicrmcivicrm_private_report
7.x-1.0:x
civicrmcivicrm_private_report
7.x-1.1:x
civicrmcivicrm_private_report
7.x-1.2:x
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/74351
https://www.drupal.org/node/2467631
https://www.drupal.org/node/2467635
https://www.drupal.org/node/2467697
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/74351
https://www.drupal.org/node/2467631
https://www.drupal.org/node/2467635
https://www.drupal.org/node/2467697