Organic Groups Vocabulary module for Drupal membership security bypass

ogvocab-membership-security-bypass (53780) The risk level is classified as MediumMedium Risk

Description:

An unspecified vulnerability in the Organic Groups Vocabulary module for Drupal could allow a remote attacker to bypass security restrictions. An authenticated attacker with group membership could exploit this vulnerability to view, edit, and create vocabularies and terms for all groups.

*CVSS:

Base Score: 6.4
  Access Vector: Network
  Access Complexity: Low
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 4.7
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Bypass Security

Remedy:

Refer to DRUPAL-SA-CONTRIB-2009-071 for patch, upgrade or suggested workaround information. See References.

References:

  • DRUPAL-SA-CONTRIB-2009-071: Organic Groups Vocabulary Access Bypass.
  • BID-36685: Drupal Organic Groups Vocabulary Module Unauthorized Access Vulnerability
  • CVE-2009-4528: The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors.
  • OSVDB ID: 58947: Organic Groups Vocabulary Module for Drupal Access Permission Bypass
  • SA37060: Drupal Organic Groups Vocabulary Module Security Bypass Vulnerability

Platforms Affected:

  • Drupal Organic Groups Vocabulary module for Drupal 6.x

Reported:

Oct 14, 2009

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page