Vulnerability Details : CVE-2014-2983
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2014-2983
Probability of exploitation activity in the next 30 days: 0.20%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 57 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-2983
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-2983
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2983
-
https://drupal.org/SA-CORE-2014-002
SA-CORE-2014-002 - Drupal core - Information Disclosure | Drupal.orgPatch;Vendor Advisory
-
http://www.debian.org/security/2014/dsa-2914
Debian -- Security Information -- DSA-2914-1 drupal6Third Party Advisory
-
http://www.debian.org/security/2014/dsa-2913
Debian -- Security Information -- DSA-2913-1 drupal7Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/04/22/2
oss-security - Re: CVE Request for Drupal CoreMailing List;Third Party Advisory
Products affected by CVE-2014-2983
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*