5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.967 High
EPSS
Percentile
99.7%
Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools.
This vulnerability can be mitigated by the fact that ctools must load its javascript on the page and the user has access to submit data through a form (such as a comment or node) that allows โaโ tags.
This patch is a backport for SA-CORE-2015-003.
This module provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Features.
The module doesnโt sufficiently verify the โeditโ permission for the โcontent typeโ plugins that are used on Panels and similar systems to place content and functionality on a page.
This vulnerability is mitigated by the fact that the user must have access to edit a display via a Panels display system, e.g. via Panels pages, Mini Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc. Furthermore, either a contributed module provides a CTools content type plugin, or a custom plugin must be written that inherits permissions from another plugin and must have a different permission defined; if no โeditโ permission is set up for the child object CTools did not check the permissions of the parent object. One potential scenario would allow people who did not have edit access to Fieldable Panels Panes panes, which were specifically set to not be reusable, to edit them despite the personโs lack of access.
Cross Site Scripting:
Access bypass:
Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.
Install the latest version:
Also see the Chaos tool suite (ctools) project page.
Cross Site Scripting:
Access bypass:
Cross Site Scripting:
Access bypass:
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/ctools
www.drupal.org/SA-CORE-2015-003
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/damienmckenna
www.drupal.org/u/japerry
www.drupal.org/u/mikemiles86
www.drupal.org/u/neclimdul
www.drupal.org/u/pwolanin
www.drupal.org/u/sweetchuck
www.drupal.org/user/2301194
www.drupal.org/user/45640
www.drupal.org/user/61203
www.drupal.org/user/78040
www.drupal.org/writing-secure-code
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.967 High
EPSS
Percentile
99.7%