CVE-2012-2705 - OpenCVE

The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Christopher Mitchell	Smart Breadcrumb
Drupal	Drupal

Configuration 1 [-]

AND

OR	cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.0:::::::*
	cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.1:::::::*
	cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.2:::::::*
	cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.x:dev::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://drupal.org/node/1568216
http://drupal.org/node/1585564
http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a
http://secunia.com/advisories/49163
http://www.openwall.com/lists/oss-security/2012/06/14/3
http://www.osvdb.org/82006
http://www.securityfocus.com/bid/53592
https://exchange.xforce.ibmcloud.com/vulnerabilities/75713

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-06-27T00:00:00

Updated: 2024-08-06T19:42:31.946Z

Reserved: 2012-05-14T00:00:00

Link: CVE-2012-2705

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-06-27T00:55:04.147

Modified: 2017-08-29T01:31:39.930

Link: CVE-2012-2705

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "82006", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/82006"}, {"name": "53592", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/53592"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/1568216"}, {"name": "smartbreadcrumb-filtertitles-xss(75713)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75713"}, {"name": "[oss-security] 20120613 Re: CVE Request for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/06/14/3"}, {"name": "49163", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49163"}, {"tags": ["x_refsource_MISC"], "url": "http://drupal.org/node/1585564"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-2705", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "82006", "refsource": "OSVDB", "url": "http://www.osvdb.org/82006"}, {"name": "53592", "refsource": "BID", "url": "http://www.securityfocus.com/bid/53592"}, {"name": "http://drupal.org/node/1568216", "refsource": "CONFIRM", "url": "http://drupal.org/node/1568216"}, {"name": "smartbreadcrumb-filtertitles-xss(75713)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75713"}, {"name": "[oss-security] 20120613 Re: CVE Request for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/06/14/3"}, {"name": "49163", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/49163"}, {"name": "http://drupal.org/node/1585564", "refsource": "MISC", "url": "http://drupal.org/node/1585564"}, {"name": "http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a", "refsource": "CONFIRM", "url": "http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:42:31.946Z"}, "title": "CVE Program Container", "references": [{"name": "82006", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/82006"}, {"name": "53592", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/53592"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupal.org/node/1568216"}, {"name": "smartbreadcrumb-filtertitles-xss(75713)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75713"}, {"name": "[oss-security] 20120613 Re: CVE Request for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/06/14/3"}, {"name": "49163", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49163"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://drupal.org/node/1585564"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2705", "datePublished": "2012-06-27T00:00:00", "dateReserved": "2012-05-14T00:00:00", "dateUpdated": "2024-08-06T19:42:31.946Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9CD77B4E-1D3E-49E3-9398-7A782170A0C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "ACC6A329-EE4F-4F70-BA11-6ECEAEC24E80", "vulnerable": true}, {"criteria": "cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "0C85B743-5BFC-4F0D-8312-4120E0BAA613", "vulnerable": true}, {"criteria": "cpe:2.3:a:christopher_mitchell:smart_breadcrumb:6.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "F28636FD-BF45-4C1C-BD78-E3F1E9E1C6AF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter."}, {"lang": "es", "value": "La funci\u00f3n filter_titles en el m\u00f3dulo Smart Breadcrumb v6.x-1.x anterior a v6.x-1.3 para Drupal no convierte correctamente un t\u00edtulo a texto sin formato, permitiendo a usuarios remotos autenticados crear o editar los permisos de los nodos para realizar ataques XSS a trav\u00e9s del par\u00e1metro title."}], "id": "CVE-2012-2705", "lastModified": "2017-08-29T01:31:39.930", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2012-06-27T00:55:04.147", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://drupal.org/node/1568216"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/1585564"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://drupalcode.org/project/smart_breadcrumb.git/commitdiff/834f75a"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49163"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/06/14/3"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/82006"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/53592"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75713"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}