Vulnerability Details CVE-2015-4395
The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 38.7%
CVSS Severity
CVSS v2 Score 3.5
References
- http://www.openwall.com/lists/oss-security/2015/04/25/6
- http://www.securityfocus.com/bid/74364
- https://www.drupal.org/node/2475443
- https://www.drupal.org/node/2475943
- http://www.openwall.com/lists/oss-security/2015/04/25/6
- http://www.securityfocus.com/bid/74364
- https://www.drupal.org/node/2475443
- https://www.drupal.org/node/2475943
Products affected by CVE-2015-4395
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.0
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.1
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.2
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.3
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.4
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.5
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.6
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.7
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.8
-
cpe:2.3:a:hybridauth_social_login_project:hybridauth_social_login:7.x-2.9