6.8

CVE-2013-4446

The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Steven JonesContext Version6.x-2.0 Updatealpha1
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatealpha2
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta1
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta2
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta3
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta4
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta5
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta6
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updatebeta7
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updaterc1
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updaterc2
   DrupalDrupal Version-
Steven JonesContext Version6.x-2.0 Updaterc3
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatealpha1
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatealpha2
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta1
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta2
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta3
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta4
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta5
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta6
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta7
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updatebeta8
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updaterc1
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.0 Updaterc2
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.1
   DrupalDrupal Version-
Steven JonesContext Version6.x-3.x Updatedev
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatealpha1
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatealpha2
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatealpha3
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta1
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta2
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta3
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta4
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta5
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta6
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.0 Updatebeta7
   DrupalDrupal Version-
Steven JonesContext Version7.x-3.x Updatedev
   DrupalDrupal Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.09% 0.759
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://drupal.org/node/2113317
Patch
Vendor Advisory