CVE-2012-5557

high

Description

The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.

References

http://www.openwall.com/lists/oss-security/2012/11/20/4

http://drupal.org/node/1840886

http://drupal.org/node/1840054

http://drupal.org/node/1840038

Details

Source: Mitre, NVD

Published: 2012-12-03

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N

Severity: Low

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00171