CVE-2015-4375 - Vulnerability Details - OpenCVE

The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00319.

Key SSVC decision points have not yet been added.

Vendors	Products
Chaos Tool Suite Project	Ctools

Configuration 1 [-]

OR	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.0:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.1:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.2:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.3:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.4:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.5:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:::::drupal::
	cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:rc1::::drupal::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2015-4398	The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2015/03/22/35
http://www.openwall.com/lists/oss-security/2015/04/25/6
https://www.drupal.org/node/2454883
https://www.drupal.org/node/2454909

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-15T14:00:00

Updated: 2024-08-06T06:11:12.908Z

Reserved: 2015-06-05T00:00:00

Link: CVE-2015-4375

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-06-15T14:59:32.763

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-4375

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-18T00:00:00", "descriptions": [{"lang": "en", "value": "The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-06-15T13:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20150322 CVE requests for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2454909"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2454883"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4375", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20150322 CVE requests for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"name": "https://www.drupal.org/node/2454909", "refsource": "MISC", "url": "https://www.drupal.org/node/2454909"}, {"name": "https://www.drupal.org/node/2454883", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2454883"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:11:12.908Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20150322 CVE requests for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2454909"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2454883"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4375", "datePublished": "2015-06-15T14:00:00", "dateReserved": "2015-06-05T00:00:00", "dateUpdated": "2024-08-06T06:11:12.908Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "5FA4E46D-F7D9-448D-B971-D8EE786EB3AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "EFA33F20-D932-42F3-84B0-9E55645D64D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "F56B3706-6AF5-42C9-A565-882AE03ADA9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "7683107F-23E1-4220-91FA-CFCDD2129AE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.4:*:*:*:*:drupal:*:*", "matchCriteriaId": "698747A0-461D-409B-B9DE-9059CCF81AA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.5:*:*:*:*:drupal:*:*", "matchCriteriaId": "05D4A651-2FFE-42D1-8412-4C3C4098995F", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:*:*:*:*:drupal:*:*", "matchCriteriaId": "FF5CE8CA-69E1-465A-9F16-C96FB1E0F564", "vulnerable": true}, {"criteria": "cpe:2.3:a:chaos_tool_suite_project:ctools:7.x-1.6:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "B6B28B89-76C3-4407-84EF-48CBF6FBD783", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity."}, {"lang": "es", "value": "El m\u00f3dulo Chaos tool suite (ctools) 7.x-1.x anterior a 7.x-1.7 para Drupal permite a atacantes remotos obtener t\u00edtulos de nodos a trav\u00e9s (1) de una b\u00fasqueda de autocompletado en entidades personalizadas sin indicador de consulta de acceso o (2) del aprovechamiento de conocimiento de un identificador de una entidad."}], "id": "CVE-2015-4375", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-15T14:59:32.763", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://www.drupal.org/node/2454883"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2454909"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/03/22/35"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://www.drupal.org/node/2454883"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/node/2454909"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}