OpenCVE

The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

No data.

References

Link	Providers
http://drupal.org/node/184354
http://secunia.com/advisories/27292
http://secunia.com/advisories/27352
http://www.securityfocus.com/bid/26119
http://www.vupen.com/english/advisories/2007/3546
https://exchange.xforce.ibmcloud.com/vulnerabilities/37296
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-10-19T23:00:00

Updated: 2024-08-07T15:39:13.593Z

Reserved: 2007-10-19T00:00:00

Link: CVE-2007-5597

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-10-19T23:17:00.000

Modified: 2024-11-21T00:38:16.927

Link: CVE-2007-5597

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-10-17T00:00:00", "descriptions": [{"lang": "en", "value": "The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2007-3546", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/184354"}, {"name": "drupal-api-information-disclosure(37296)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37296"}, {"name": "27292", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27292"}, {"name": "FEDORA-2007-2649", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"name": "27352", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27352"}, {"name": "26119", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/26119"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-5597", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2007-3546", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"name": "http://drupal.org/node/184354", "refsource": "CONFIRM", "url": "http://drupal.org/node/184354"}, {"name": "drupal-api-information-disclosure(37296)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37296"}, {"name": "27292", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/27292"}, {"name": "FEDORA-2007-2649", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"name": "27352", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/27352"}, {"name": "26119", "refsource": "BID", "url": "http://www.securityfocus.com/bid/26119"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:39:13.593Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2007-3546", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/184354"}, {"name": "drupal-api-information-disclosure(37296)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37296"}, {"name": "27292", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27292"}, {"name": "FEDORA-2007-2649", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"name": "27352", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/27352"}, {"name": "26119", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/26119"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-5597", "datePublished": "2007-10-19T23:00:00", "dateReserved": "2007-10-19T00:00:00", "dateUpdated": "2024-08-07T15:39:13.593Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA9F6D81-D535-4A16-8268-E90705A904DC", "versionEndExcluding": "4.7.8", "versionStartIncluding": "4.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC052F7E-A193-434A-B239-0CC3FB371758", "versionEndExcluding": "5.3", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions."}, {"lang": "es", "value": "El API hook_comments en el Drupal 4.7.x anterior al 4.7.8 y el 5.x anterior al 5.3 no pasa el estado de publicaci\u00f3n, lo que puede permitir a atacantes evitar las restricciones de acceso y disparar un e-mail con comentarios no publicados de ciertos m\u00f3dulos, como lo demostrado en (1) los grupos Organic y (2) Subscriptions."}], "id": "CVE-2007-5597", "lastModified": "2024-11-21T00:38:16.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-10-19T23:17:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://drupal.org/node/184354"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27292"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27352"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/26119"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37296"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://drupal.org/node/184354"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27292"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27352"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/26119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37296"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}