CVE-2015-8761 — CRITICAL (9.0)

Vulnerability Description

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.

CVSS Score

9.0

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Values Project	Values	7.x-1.0

Related Weaknesses (CWE)

CWE-94

References

http://cgit.drupalcode.org/values/commit/?id=5942ee9
http://www.securityfocus.com/bid/79656
https://www.drupal.org/node/2622534Patch
https://www.drupal.org/node/2636344PatchVendor Advisory
http://cgit.drupalcode.org/values/commit/?id=5942ee9
http://www.securityfocus.com/bid/79656
https://www.drupal.org/node/2622534Patch
https://www.drupal.org/node/2636344PatchVendor Advisory

FAQ

What is CVE-2015-8761?

CVE-2015-8761 is a vulnerability with a CVSS score of 9.0 (CRITICAL). The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via th...

How severe is CVE-2015-8761?

CVE-2015-8761 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2015-8761?

Check the references section above for vendor advisories and patch information. Affected products include: Values Project Values.