Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-171

HistoryNov 28, 2012 - 12:00 a.m.

SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)

2012-11-2800:00:00

Drupal Security Team

www.drupal.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

The Webmail plus module is a full-featured email client for Drupal. It’s designed to provide email for any or all members of a Drupal site.

The module doesn’t sufficiently sanitize user input as it is used in a database query.

CVE: CVE-2012-5590

Versions affected

All Webmail Plus module versions.

Drupal core is not affected. If you do not use the contributed Webmail Plus module, there is nothing you need to do.

Solution

Uninstall the module:

If you use the Webmail Plus module you should disable the module.

Also see the Webmail Plus project page.

Reported by

Fox of the Drupal Security Team

Coordinated by

Gerhard Killesreiter of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/webmail_plus

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/426464

drupal.org/user/83

drupal.org/writing-secure-code

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2012-171