CVE-2013-4595 - The Secure Pages module 6.x-2.x before 6.x-2.0 for Drupal does not properly match URLs, which causes

CVE-2013-4595

Summary

The Secure Pages module 6.x-2.x before 6.x-2.0 for Drupal does not properly match URLs, which causes HTTP to be used instead of HTTPS and makes it easier for remote attackers to obtain sensitive information via a crafted web page.

References

Vulnerable Configurations

cpe:2.3:a:gordon_heydon:secure_pages:6.x-2.x:dev:-:*:-:drupal:*:*
cpe:2.3:a:gordon_heydon:secure_pages:6.x-2.x:dev:-:*:-:drupal:*:*

CVSS

Base:	4.3 (as of 24-06-2014 - 15:37)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

refmap via4

confirm	https://drupal.org/node/2128739
misc	https://drupal.org/node/2129381
mlist	[oss-security] 20131118 Re: CVE request for Drupal contributed modules

Last major update

24-06-2014 - 15:37

Published

09-06-2014 - 19:55

Last modified

24-06-2014 - 15:37