MidnightBSD

Advisories for chaos_tool_suite_project

CVE-2010-1546 MEDIUM

Multiple eval injection vulnerabilities in the import functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with "administer page manager" privileges, to execute arbitrary PHP code via input to a text area, related to (1) the page_manager_page_import_subtask_validate function in page_manager/plugins/tasks/page.admin.inc and (2) the page_manager_handler_import_validate function in page_manager/page_manager.admin.inc.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 6.x-1.2
chaos_tool_suite_project ctools 6.x-1.0
chaos_tool_suite_project ctools 6.x-1.1
chaos_tool_suite_project ctools 6.x-1.3
chaos_tool_suite_project ctools 6.x-1.x
CVE-2010-1547 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a page via a q=admin/build/pages/nojs/enable/ value or (2) disable a page via a q=admin/build/pages/nojs/disable/ value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 6.x-1.2
chaos_tool_suite_project ctools 6.x-1.0
chaos_tool_suite_project ctools 6.x-1.1
chaos_tool_suite_project ctools 6.x-1.3
chaos_tool_suite_project ctools 6.x-1.x
CVE-2010-1548 LOW

The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions, which allows remote authenticated users, with "access content" privileges, to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node's title.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 6.x-1.2
chaos_tool_suite_project ctools 6.x-1.0
chaos_tool_suite_project ctools 6.x-1.1
chaos_tool_suite_project ctools 6.x-1.3
chaos_tool_suite_project ctools 6.x-1.x
CVE-2010-2010 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via a node title.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 6.x-1.2
chaos_tool_suite_project ctools 6.x-1.0
chaos_tool_suite_project ctools 6.x-1.1
chaos_tool_suite_project ctools 6.x-1.3
chaos_tool_suite_project ctools 6.x-1.x
CVE-2013-1925 LOW

The Chaos Tool Suite (ctools) module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 7.x-1.x
chaos_tool_suite_project ctools 7.x-1.0
chaos_tool_suite_project ctools 7.x-1.2
chaos_tool_suite_project ctools 7.x-1.1
CVE-2015-4375 MEDIUM

The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 7.x-1.3
chaos_tool_suite_project ctools 7.x-1.5
chaos_tool_suite_project ctools 7.x-1.4
chaos_tool_suite_project ctools 7.x-1.0
chaos_tool_suite_project ctools 7.x-1.2
chaos_tool_suite_project ctools 7.x-1.6
chaos_tool_suite_project ctools 7.x-1.1
CVE-2015-4398 MEDIUM

Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 7.x-1.3
chaos_tool_suite_project ctools *
chaos_tool_suite_project ctools 7.x-1.5
chaos_tool_suite_project ctools 7.x-1.4
chaos_tool_suite_project ctools 7.x-1.0
chaos_tool_suite_project ctools 7.x-1.2
chaos_tool_suite_project ctools 7.x-1.6
chaos_tool_suite_project ctools 7.x-1.1
CVE-2015-6665 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 6.x-1.11
drupal drupal 7.30
drupal drupal 7.35
drupal drupal 7.33
chaos_tool_suite_project ctools 6.x-1.x
drupal drupal 7.29
drupal drupal 7.2
chaos_tool_suite_project ctools 6.x-1.12
drupal drupal 7.8
chaos_tool_suite_project ctools 6.x-1.0
drupal drupal 7.6
drupal drupal 7.18
drupal drupal 7.9
chaos_tool_suite_project ctools 6.x-1.6
drupal drupal 7.36
drupal drupal 7.1
chaos_tool_suite_project ctools 6.x-1.8
drupal drupal 7.10
drupal drupal 7.38
drupal drupal 7.17
fedoraproject fedora 23
drupal drupal 7.15
chaos_tool_suite_project ctools 6.x-1.9
chaos_tool_suite_project ctools 6.x-1.2
drupal drupal 7.12
drupal drupal 7.34
drupal drupal 7.0
drupal drupal 7.x-dev
drupal drupal 7.7
chaos_tool_suite_project ctools 6.x-1.7
drupal drupal 7.11
chaos_tool_suite_project ctools 6.x-1.3
drupal drupal 7.5
drupal drupal 7.24
drupal drupal 7.19
drupal drupal 7.3
chaos_tool_suite_project ctools 6.x-1.5
drupal drupal 7.27
drupal drupal 7.25
drupal drupal 7.22
fedoraproject fedora 22
drupal drupal 7.16
drupal drupal 7.4
drupal drupal 7.28
drupal drupal 7.21
drupal drupal 7.13
chaos_tool_suite_project ctools 6.x-1.1
fedoraproject fedora 21
drupal drupal 7.20
chaos_tool_suite_project ctools 6.x-1.13
drupal drupal 7.14
drupal drupal 7.23
drupal drupal 7.26
drupal drupal 7.37
chaos_tool_suite_project ctools 6.x-1.4
CVE-2015-7875 MEDIUM

ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
chaos_tool_suite_project ctools 7.x-1.3
chaos_tool_suite_project ctools 6.x-1.11
chaos_tool_suite_project ctools 7.x-1.x
chaos_tool_suite_project ctools 7.x-1.7
chaos_tool_suite_project ctools 7.x-1.4
chaos_tool_suite_project ctools 7.x-1.2
chaos_tool_suite_project ctools 7.x-1.6
chaos_tool_suite_project ctools 6.x-1.x
chaos_tool_suite_project ctools 7.x-1.1
chaos_tool_suite_project ctools 6.x-1.13
chaos_tool_suite_project ctools 6.x-1.12
chaos_tool_suite_project ctools 6.x-1.9
chaos_tool_suite_project ctools 6.x-1.2
chaos_tool_suite_project ctools 6.x-1.0
chaos_tool_suite_project ctools 7.x-1.5
chaos_tool_suite_project ctools 7.x-1.0
chaos_tool_suite_project ctools 6.x-1.7
chaos_tool_suite_project ctools 6.x-1.1
chaos_tool_suite_project ctools 6.x-1.3
chaos_tool_suite_project ctools 6.x-1.6
chaos_tool_suite_project ctools 6.x-1.4
chaos_tool_suite_project ctools 6.x-1.5
chaos_tool_suite_project ctools 6.x-1.8