CVE-2013-7435
UnknownEPSS 2.20%
Last modified
CVE-2013-7435 is a vulnerability of currently unknown severity. The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.. EPSS estimates a 2.20% chance of exploitation in the next 30 days.
Description
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Evergreen-Ils | Evergreen | < 2.5.9 |
| Evergreen-Ils | Evergreen | >= 2.6.0, < 2.6.7 |
| Evergreen-Ils | Evergreen | >= 2.7.0, < 2.7.4 |
References
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9Issue Tracking, Release Notes
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7Issue Tracking, Release Notes
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4Issue Tracking, Release Notes
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/Issue Tracking, Release Notes
- http://www.openwall.com/lists/oss-security/2015/03/04/3Issue Tracking, Mailing List, Third Party Advisory
- https://bugs.launchpad.net/evergreen/+bug/1206589Issue Tracking, Patch
- http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9Issue Tracking, Release Notes
- http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7Issue Tracking, Release Notes
- http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4Issue Tracking, Release Notes
- http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/Issue Tracking, Release Notes
- http://www.openwall.com/lists/oss-security/2015/03/04/3Issue Tracking, Mailing List, Third Party Advisory
- https://bugs.launchpad.net/evergreen/+bug/1206589Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-7435?
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
How severe is CVE-2013-7435?
Severity scoring for CVE-2013-7435 is pending analysis. The EPSS model estimates a 2.20% probability of exploitation in the next 30 days.
How do I fix CVE-2013-7435?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-7435?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST