Vulnerabilities > CVE-2011-0899 - Information Disclosure vulnerability in Johan Lindskog AES Encryption Module 7.X1.4

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

johan-lindskog

drupal

NVD

Published: 2011-02-07

Updated: 2017-08-17

Summary

The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.

Vulnerable Configurations

Part	Description	Count
Application	Johan_Lindskog Johan Lindskog AES Encryption Module 7.X-1.4	1
Application	Drupal Drupal Drupal *	1

D2sec

name	Drupal AES encryption File Disclosure
url	http://www.d2sec.com/exploits/drupal_aes_encryption_file_disclosure.html

References

http://drupal.org/node/1040728
http://drupal.org/node/1048998
http://osvdb.org/70767
http://secunia.com/advisories/43185
http://www.securityfocus.com/bid/46116
https://exchange.xforce.ibmcloud.com/vulnerabilities/65112