Drupal Security TeamDRUPAL-SA-CONTRIB-2012-163SA-CONTRIB-2012-163 - User Read-Only - Permission escalation
3.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
50.3%
User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing.
The module can mistakenly assign roles when performing unrelated operations against a user’s account such as changing a password.
The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3).
CVE: CVE-2012-5557
Versions affected
- User Read-Only 6.x-1.x versions prior to 6.x-1.4.
- User Read-Only 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed User Read-Only module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the User Read-Only module for Drupal 6.x, upgrade to User Read-Only 6.x-1.4
- If you use the User Read-Only module for Drupal 7.x, upgrade to User Read-Only 7.x-1.4
Also see the User Read-Only project page.
Reported by
Fixed by
- David Norman the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Lee Rowlands provisional member of the Drupal Security Team
Related
3.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
50.3%