Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-157

HistoryOct 24, 2012 - 12:00 a.m.

SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)

2012-10-2400:00:00

Drupal Security Team

www.drupal.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

51.1%

JSON

The Time Spent module tracks the time a registered user spends on a site and a site’s content.

The module doesn’t sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have been addressed by the author; the Drupal Security Team recommends that this module be uninstalled immediately.

CVE identifier(s) issued

XSS: CVE-2012-5548
CSRF: CVE-2012-5549
SQL Injection: CVE-2012-5550

Versions affected

All Time Spent module versions.

Drupal core is not affected. If you do not use the contributed Time Spent module, there is nothing you need to do.

Solution

Uninstall the module:

If you use the Time Spent module you should disable the module.

Also see the Time Spent project page.

Reported by

Dylan Riordan (amorsent)
Greg Knaddison (greggles) of the Drupal Security Team

Coordinated by

Forest Monsen (forestmonster) of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/time_spent

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/181798

drupal.org/user/36762

drupal.org/user/426464

drupal.org/writing-secure-code

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

51.1%

JSON

Related for DRUPAL-SA-CONTRIB-2012-157