Vulnerability Details CVE-2013-4446
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.9%
CVSS Severity
CVSS v2 Score 6.8
References
- http://drupalcode.org/project/context.git/commitdiff/63ef4d9
- http://drupalcode.org/project/context.git/commitdiff/d7b4afa
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html
- https://drupal.org/node/2112785
- https://drupal.org/node/2112791
- https://drupal.org/node/2113317
- http://drupalcode.org/project/context.git/commitdiff/63ef4d9
- http://drupalcode.org/project/context.git/commitdiff/d7b4afa
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html
- https://drupal.org/node/2112785
- https://drupal.org/node/2112791
- https://drupal.org/node/2113317
Products affected by CVE-2013-4446
-
cpe:2.3:a:drupal:drupal:-
-
cpe:2.3:a:steven_jones:context:6.x-2.0
-
cpe:2.3:a:steven_jones:context:6.x-3.0
-
cpe:2.3:a:steven_jones:context:6.x-3.1
-
cpe:2.3:a:steven_jones:context:6.x-3.x
-
cpe:2.3:a:steven_jones:context:7.x-3.0
-
cpe:2.3:a:steven_jones:context:7.x-3.x