CVE-2012-2724 Information

Description

The Simplenews module 6.x-1.x before 6.x-1.4 6.x-2.x before 6.x-2.0-alpha4 and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required which allows remote attackers to obtain sensitive information via the confirmation page.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://drupal.org/node/1619812 http://drupal.org/node/1619818 http://drupal.org/node/1619820 http://drupal.org/node/1619848 http://drupalcode.org/project/simplenews.git/commitdiff/36352c1 http://drupalcode.org/project/simplenews.git/commitdiff/6d5704c http://drupalcode.org/project/simplenews.git/commitdiff/faec6a6 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53839 https://exchange.xforce.ibmcloud.com/vulnerabilities/76143

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3