CVE-2014-9361 - OpenCVE

The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Logintoboggan Project	Logintoboggan

Configuration 1 [-]

OR	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:::::drupal::
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha1::::drupal::*
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha2::::drupal::*
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha3::::drupal::*
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.1:::::drupal::
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.2:::::drupal::
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.3:::::drupal::
	cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.x:x-dev::::drupal::*

No data.

References

Link	Providers
https://www.drupal.org/node/2299467
https://www.drupal.org/node/2300369

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-12-10T20:00:00Z

Updated: 2024-09-17T01:36:53.842Z

Reserved: 2014-12-10T00:00:00Z

Link: CVE-2014-9361

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-12-10T20:59:00.070

Modified: 2014-12-11T13:49:30.813

Link: CVE-2014-9361

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-12-10T20:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2300369"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2299467"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9361", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/node/2300369", "refsource": "MISC", "url": "https://www.drupal.org/node/2300369"}, {"name": "https://www.drupal.org/node/2299467", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2299467"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:40:25.201Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2300369"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2299467"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9361", "datePublished": "2014-12-10T20:00:00Z", "dateReserved": "2014-12-10T00:00:00Z", "dateUpdated": "2024-09-17T01:36:53.842Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "B7986EF2-AA05-467B-ACC0-72369D82E58C", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha1:*:*:*:drupal:*:*", "matchCriteriaId": "02CFEA06-9F6A-44E5-90A7-B0F88A1EDA34", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha2:*:*:*:drupal:*:*", "matchCriteriaId": "615A536A-AC6C-4B1E-866F-1A0401DABB1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.0:alpha3:*:*:*:drupal:*:*", "matchCriteriaId": "4FACA92C-E58D-4BD8-B242-35EE14F0B050", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "B4C42DF3-A3FB-4D1D-8267-1884C3BB2556", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "95C812A2-D069-446D-BF14-86FD3EC5D4AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "1F3E7F17-D025-49E4-8A10-71B18FCFD5C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:logintoboggan_project:logintoboggan:7.x-1.x:x-dev:*:*:*:drupal:*:*", "matchCriteriaId": "00637C22-3F65-4857-9D9E-400251659103", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page."}, {"lang": "es", "value": "El m\u00f3dulo LoginToboggan 7.x-1.x anterior a 7.x-1.4 para Drupal no desactiva correctamente el role de usuario autorizado para ciertos usuarios, lo que permite a atacantes remotos con el role preautorizado ganar privilegios y posiblemente obtener informaci\u00f3n sensible mediante el acceso a una p\u00e1gina Page Not Found (404)."}], "id": "CVE-2014-9361", "lastModified": "2014-12-11T13:49:30.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-12-10T20:59:00.070", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2299467"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/node/2300369"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}