Vulnerabilities > CVE-2008-6910 - Cryptographic Issues vulnerability in Marc Ingram Services

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

drupal

marc-ingram

CWE-310

NVD

Published: 2009-08-06

Updated: 2017-08-17

Summary

Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.

Vulnerable Configurations

Part	Description	Count
Application	Drupal Drupal Drupal *	1
Application	Marc_Ingram Marc Ingram Services 5.X-0.9 Marc Ingram Services 5.X-0.91 Marc Ingram Services 5.X-1.X-Dev Marc Ingram Services 6.X-0.9 Marc Ingram Services 6.X-0.11 Marc Ingram Services 6.X-0.12 Marc Ingram Services 6.X-1.X-Dev	7

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References