3.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
50.3%
User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing.
The module can mistakenly assign roles when performing unrelated operations against a user’s account such as changing a password.
The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3).
CVE: CVE-2012-5557
Drupal core is not affected. If you do not use the contributed User Read-Only module, there is nothing you need to do.
Install the latest version:
Also see the User Read-Only project page.