Vulnerability Description
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| User Read-Only Project | User Readonly | 6.x-1.0 |
| Drupal | Drupal | - |
Related Weaknesses (CWE)
References
- http://drupal.org/node/1840038Patch
- http://drupal.org/node/1840054Patch
- http://drupal.org/node/1840886PatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2012/11/20/4
- http://drupal.org/node/1840038Patch
- http://drupal.org/node/1840054Patch
- http://drupal.org/node/1840886PatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2012/11/20/4
FAQ
What is CVE-2012-5557?
CVE-2012-5557 is a vulnerability with a CVSS score of 3.6 (LOW). The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configur...
How severe is CVE-2012-5557?
CVE-2012-5557 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-5557?
Check the references section above for vendor advisories and patch information. Affected products include: User Read-Only Project User Readonly, Drupal Drupal.