The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| open_atrium_project | open_atrium | * |
Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| open_atrium_project | open_atrium | 7.x-2.0 |
| open_atrium_project | open_atrium | * |
The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with "access content" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| open_atrium_project | open_atrium | 7.x-2.0 |
| open_atrium_project | open_atrium | * |
The OG Subgroups module, when used with the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal, allows remote attackers to access child groups via vectors related to membership inheritance.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| open_atrium_project | open_atrium | 7.x-2.0 |
| open_atrium_project | open_atrium | * |