Drupal Security TeamDRUPAL-SA-CONTRIB-2012-020SA-CONTRIB-2012-020 - Faster Permissions - Access bypass
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.8%
CVE: CVE-2012-1643
This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions.
The module doesn’t sufficiently check for the required permissions when the provided permission administration is displayed and therefore allows users without the required permissions to configure module permissions.
Versions affected
- Faster Permissions 7.x-2.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Faster Permissions module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Faster Permissions module for Drupal 7.x, upgrade to Faster Permissions 7.x-1.2
See also the Faster Permissions project page.
Reported by
Fixed by
- Sascha Grossenbacher
- Jason Savino the module maintainer.
Coordinated by
- Greg Knaddison of the Drupal Security Team
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.8%