First published: Thu Aug 06 2009(Updated: )
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not sign all required data in requests, which has unspecified impact, probably related to man-in-the-middle attacks that modify critical data and allow remote attackers to impersonate other users and gain privileges.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Marc Ingram Services | =5.x-0.9 | |
Marc Ingram Services | =5.x-0.91 | |
Marc Ingram Services | =5.x-1.x-dev | |
Marc Ingram Services | =6.x-0.9 | |
Marc Ingram Services | =6.x-0.11 | |
Marc Ingram Services | =6.x-0.12 | |
Marc Ingram Services | =6.x-1.x-dev | |
Drupal |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-6909 has a severity rating that suggests a potential for serious exploitation, particularly related to man-in-the-middle attacks.
To fix CVE-2008-6909, update the Services module to versions 5.x-0.92 or 6.x-0.13 and later.
CVE-2008-6909 affects Services versions 5.x before 5.x-0.92 and 6.x before 6.x-0.13.
CVE-2008-6909 can allow remote attackers to impersonate users and gain privileges due to inadequate signing of request data.
If you are using Services module versions 5.x-0.9, 5.x-0.91, 5.x-1.x-dev, 6.x-0.9, 6.x-0.11, 6.x-0.12, or 6.x-1.x-dev, your Drupal installation is vulnerable.