CVE-2014-3453

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3453
Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://seclists.org/fulldisclosure/2014/May/44 Exploit
http://www.openwall.com/lists/oss-security/2014/05/12/2
http://www.securityfocus.com/bid/67318
https://bugzilla.redhat.com/show_bug.cgi?id=1096604
http://seclists.org/fulldisclosure/2014/May/44 Exploit
http://www.openwall.com/lists/oss-security/2014/05/12/2
http://www.securityfocus.com/bid/67318
https://bugzilla.redhat.com/show_bug.cgi?id=1096604
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:flag_module_project:flag:*:*:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:-:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:alpha1:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:alpha2:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:alpha3:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:alpha4:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:beta1:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.0:rc1:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.1:*:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.2:*:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.3:*:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.4:*:*:*:*:drupal:*:*
cpe:2.3:a:flag_module_project:flag:7.x-3.x:dev:*:*:*:drupal:*:*
History

21 Nov 2024, 02:08

Type Values Removed Values Added
References () http://seclists.org/fulldisclosure/2014/May/44 - Exploit () http://seclists.org/fulldisclosure/2014/May/44 - Exploit
References () http://www.openwall.com/lists/oss-security/2014/05/12/2 - () http://www.openwall.com/lists/oss-security/2014/05/12/2 -
References () http://www.securityfocus.com/bid/67318 - () http://www.securityfocus.com/bid/67318 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=1096604 - () https://bugzilla.redhat.com/show_bug.cgi?id=1096604 -
Information

Published : 2014-05-17 19:55

Updated : 2024-11-21 02:08

NVD link : CVE-2014-3453

Mitre link : CVE-2014-3453

CVE.ORG link : CVE-2014-3453

JSON object : View

Products Affected

flag_module_project

  • flag
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')