Vulnerability Description
The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Certify Project | Certify | 6.x-2.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2015/01/29/6
- http://www.openwall.com/lists/oss-security/2015/04/21/8
- http://www.securityfocus.com/bid/74282
- https://www.drupal.org/node/2407081Patch
- https://www.drupal.org/node/2415947PatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2015/01/29/6
- http://www.openwall.com/lists/oss-security/2015/04/21/8
- http://www.securityfocus.com/bid/74282
- https://www.drupal.org/node/2407081Patch
- https://www.drupal.org/node/2415947PatchVendor Advisory
FAQ
What is CVE-2015-3404?
CVE-2015-3404 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certi...
How severe is CVE-2015-3404?
CVE-2015-3404 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-3404?
Check the references section above for vendor advisories and patch information. Affected products include: Certify Project Certify.