CVE-2015-3380 - Vulnerability Details - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Funnymonkey	Feature Set

Configuration 1 [-]

cpe:2.3:a:funnymonkey:feature_set:*:*:*:*:*:drupal:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2015/02/13/12
http://www.securityfocus.com/bid/72617
https://www.drupal.org/node/2424409

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-04-21T18:00:00

Updated: 2024-08-06T05:47:57.561Z

Reserved: 2015-04-21T00:00:00

Link: CVE-2015-3380

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-04-21T18:59:02.547

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-3380

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "72617", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72617"}, {"name": "[oss-security] 20150213 CVE requests for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/02/13/12"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2424409"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3380", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "72617", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72617"}, {"name": "[oss-security] 20150213 CVE requests for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/02/13/12"}, {"name": "https://www.drupal.org/node/2424409", "refsource": "MISC", "url": "https://www.drupal.org/node/2424409"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:47:57.561Z"}, "title": "CVE Program Container", "references": [{"name": "72617", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72617"}, {"name": "[oss-security] 20150213 CVE requests for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/02/13/12"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2424409"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3380", "datePublished": "2015-04-21T18:00:00", "dateReserved": "2015-04-21T00:00:00", "dateUpdated": "2024-08-06T05:47:57.561Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:funnymonkey:feature_set:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "24AD29BC-AF5E-4869-B5F8-5C7090B901EA", "versionEndIncluding": "7.x-1.0-beta1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en el m\u00f3dulo Feature Set para Drupal permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que (1) activan o (2) desactivan un m\u00f3dulo a trav\u00e9s de vectores no especificados."}], "evaluatorComment": "Per the <a href=\"https://www.drupal.org/node/2424409\">advisory</a>: \"A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafted URL.\" Only integrity and availability are affected.", "id": "CVE-2015-3380", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-04-21T18:59:02.547", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/02/13/12"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/72617"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2424409"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/02/13/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/72617"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2424409"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}