CVE-2015-4395 - OpenCVE

The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hybridauth Social Login Project	Hybridauth Social Login

Configuration 1 [-]

OR	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.0:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.1:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.2:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.3:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.4:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.5:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.6:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.7:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.8:::::drupal::
	cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.9:::::drupal::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2015/04/25/6
http://www.securityfocus.com/bid/74364
https://www.drupal.org/node/2475443
https://www.drupal.org/node/2475943

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-15T14:00:00

Updated: 2024-08-06T06:11:12.946Z

Reserved: 2015-06-05T00:00:00

Link: CVE-2015-4395

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-06-15T14:59:50.073

Modified: 2016-06-09T21:30:24.530

Link: CVE-2015-4395

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-21T00:00:00", "descriptions": [{"lang": "en", "value": "The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the \"Ask user for a password when registering\" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-06-01T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.drupal.org/node/2475943"}, {"name": "74364", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74364"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/node/2475443"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4395", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the \"Ask user for a password when registering\" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"name": "https://www.drupal.org/node/2475943", "refsource": "MISC", "url": "https://www.drupal.org/node/2475943"}, {"name": "74364", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74364"}, {"name": "https://www.drupal.org/node/2475443", "refsource": "CONFIRM", "url": "https://www.drupal.org/node/2475443"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:11:12.946Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.drupal.org/node/2475943"}, {"name": "74364", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74364"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/node/2475443"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4395", "datePublished": "2015-06-15T14:00:00", "dateReserved": "2015-06-05T00:00:00", "dateUpdated": "2024-08-06T06:11:12.946Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "0B6667EE-93C5-4EA0-A3A7-84D92F178339", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "F82F22B5-234E-412E-B429-5738358D0657", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "02333870-1AF9-4A2A-90D6-342375FEB830", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "A7312672-C1BC-4BE1-8032-8677B0CA86FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.4:*:*:*:*:drupal:*:*", "matchCriteriaId": "79F8FD75-9C77-4FC5-9819-184FF25F0DF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.5:*:*:*:*:drupal:*:*", "matchCriteriaId": "026C94EF-50A4-481A-BC58-BD7682A75413", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.6:*:*:*:*:drupal:*:*", "matchCriteriaId": "85BB678E-A182-42A5-9A38-FC0AAA02526C", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.7:*:*:*:*:drupal:*:*", "matchCriteriaId": "B5DE99FB-D11E-4D68-A8BC-C092D79FE17E", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.8:*:*:*:*:drupal:*:*", "matchCriteriaId": "E0DCFD2A-8B15-4FAF-A10C-B86153ED4674", "vulnerable": true}, {"criteria": "cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.9:*:*:*:*:drupal:*:*", "matchCriteriaId": "EC96BB43-77BB-4DEB-BCF7-B7A597A2B8F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the \"Ask user for a password when registering\" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database."}, {"lang": "es", "value": "El m\u00f3dulo HybridAuth Social Login 7.x-2.x anterior a 7.x-2.10 para Drupal almacena contrase\u00f1as en texto plano cuando la opci\u00f3n 'Pida una contrase\u00f1a del usuario cuando registre' est\u00e1 deshabilitado, lo que permite a usuarios remotos autenticados con ciertos permisos obtener informaci\u00f3n sensible mediante el aprovechamiento del acceso a la base de datos."}], "id": "CVE-2015-4395", "lastModified": "2016-06-09T21:30:24.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-15T14:59:50.073", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/74364"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/node/2475443"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/node/2475943"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}