CVE-2013-4445
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access.
| Software | From | Fixed in |
|---|---|---|
| steven_jones / context | 6.x-2.0-beta7 | 6.x-2.0-beta7.x |
| steven_jones / context | 6.x-2.0-beta2 | 6.x-2.0-beta2.x |
| steven_jones / context | 6.x-2.0-beta4 | 6.x-2.0-beta4.x |
| steven_jones / context | 6.x-2.0-rc3 | 6.x-2.0-rc3.x |
| steven_jones / context | 6.x-2.0-beta6 | 6.x-2.0-beta6.x |
| steven_jones / context | 6.x-2.0-beta1 | 6.x-2.0-beta1.x |
| steven_jones / context | 6.x-2.0-rc1 | 6.x-2.0-rc1.x |
| steven_jones / context | 6.x-2.0-beta3 | 6.x-2.0-beta3.x |
| steven_jones / context | 6.x-2.0-alpha2 | 6.x-2.0-alpha2.x |
| steven_jones / context | 6.x-2.0-rc2 | 6.x-2.0-rc2.x |
| steven_jones / context | 6.x-2.0-alpha1 | 6.x-2.0-alpha1.x |
| steven_jones / context | 6.x-2.0-beta5 | 6.x-2.0-beta5.x |
| steven_jones / context | 6.x-3.0-rc1 | 6.x-3.0-rc1.x |
| steven_jones / context | 6.x-3.0-beta2 | 6.x-3.0-beta2.x |
| steven_jones / context | 6.x-3.0-beta4 | 6.x-3.0-beta4.x |
| steven_jones / context | 6.x-3.0-beta8 | 6.x-3.0-beta8.x |
| steven_jones / context | 6.x-3.0 | 6.x-3.0.x |
| steven_jones / context | 6.x-3.0-beta6 | 6.x-3.0-beta6.x |
| steven_jones / context | 6.x-3.0-alpha1 | 6.x-3.0-alpha1.x |
| steven_jones / context | 6.x-3.0-alpha2 | 6.x-3.0-alpha2.x |
| steven_jones / context | 6.x-3.0-beta1 | 6.x-3.0-beta1.x |
| steven_jones / context | 6.x-3.0-beta7 | 6.x-3.0-beta7.x |
| steven_jones / context | 6.x-3.0-beta5 | 6.x-3.0-beta5.x |
| steven_jones / context | 6.x-3.0-beta3 | 6.x-3.0-beta3.x |
| steven_jones / context | 6.x-3.0-rc2 | 6.x-3.0-rc2.x |
| steven_jones / context | 6.x-3.1 | 6.x-3.1.x |
| steven_jones / context | 6.x-3.x-dev | 6.x-3.x-dev.x |
| steven_jones / context | 7.x-3.0-beta2 | 7.x-3.0-beta2.x |
| steven_jones / context | 7.x-3.0-beta5 | 7.x-3.0-beta5.x |
| steven_jones / context | 7.x-3.0-alpha1 | 7.x-3.0-alpha1.x |
| steven_jones / context | 7.x-3.0-beta4 | 7.x-3.0-beta4.x |
| steven_jones / context | 7.x-3.0-beta6 | 7.x-3.0-beta6.x |
| steven_jones / context | 7.x-3.0-alpha3 | 7.x-3.0-alpha3.x |
| steven_jones / context | 7.x-3.0-beta3 | 7.x-3.0-beta3.x |
| steven_jones / context | 7.x-3.0-alpha2 | 7.x-3.0-alpha2.x |
| steven_jones / context | 7.x-3.0-beta7 | 7.x-3.0-beta7.x |
| steven_jones / context | 7.x-3.0-beta1 | 7.x-3.0-beta1.x |
| steven_jones / context | 7.x-3.x-dev | 7.x-3.x-dev.x |
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html
- https://drupal.org/node/2112785
- https://drupal.org/node/2112791
- https://drupal.org/node/2113317
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime