CVE-2012-6563

engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://blog.elgg.org/pg/blog/evan/read/209/elgg-185-released	Patch Vendor Advisory
http://elgg.org/getelgg.php?forward=elgg-1.8.5.zip	Patch
http://secunia.com/advisories/49129	Vendor Advisory
http://www.securityfocus.com/bid/53623
https://exchange.xforce.ibmcloud.com/vulnerabilities/75757
http://blog.elgg.org/pg/blog/evan/read/209/elgg-185-released	Patch Vendor Advisory
http://elgg.org/getelgg.php?forward=elgg-1.8.5.zip	Patch
http://secunia.com/advisories/49129	Vendor Advisory
http://www.securityfocus.com/bid/53623
https://exchange.xforce.ibmcloud.com/vulnerabilities/75757

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:elgg:elgg::::::::
	cpe:2.3:a:elgg:elgg:1.7.0:::::::*
	cpe:2.3:a:elgg:elgg:1.7.1:::::::*
	cpe:2.3:a:elgg:elgg:1.7.2:::::::*
	cpe:2.3:a:elgg:elgg:1.7.3:::::::*
	cpe:2.3:a:elgg:elgg:1.7.4:::::::*
	cpe:2.3:a:elgg:elgg:1.7.5:::::::*
	cpe:2.3:a:elgg:elgg:1.7.6:::::::*
	cpe:2.3:a:elgg:elgg:1.7.7:::::::*
	cpe:2.3:a:elgg:elgg:1.7.8:::::::*
	cpe:2.3:a:elgg:elgg:1.7.9:::::::*
	cpe:2.3:a:elgg:elgg:1.7.10:::::::*
	cpe:2.3:a:elgg:elgg:1.7.11:::::::*
	cpe:2.3:a:elgg:elgg:1.7.12:::::::*
	cpe:2.3:a:elgg:elgg:1.7.13:::::::*
	cpe:2.3:a:elgg:elgg:1.7.14:::::::*
	cpe:2.3:a:elgg:elgg:1.7.15:::::::*
	cpe:2.3:a:elgg:elgg:1.7.16:::::::*
	cpe:2.3:a:elgg:elgg:1.7.17:::::::*
	cpe:2.3:a:elgg:elgg:1.7.18:::::::*
	cpe:2.3:a:elgg:elgg:1.8.0.1:::::::*
	cpe:2.3:a:elgg:elgg:1.8.1:::::::*
	cpe:2.3:a:elgg:elgg:1.8.3:::::::*

History

No history.

Information

Published : 2013-05-23 15:55

Updated : 2025-04-11 00:51

NVD link : CVE-2012-6563

Mitre link : CVE-2012-6563

CVE.ORG link : CVE-2012-6563

JSON object : View

Products Affected

elgg

elgg

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2012-6563", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-05-23T15:55:02.477", "references": [{"url": "http://blog.elgg.org/pg/blog/evan/read/209/elgg-185-released", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://elgg.org/getelgg.php?forward=elgg-1.8.5.zip", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/49129", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/53623", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75757", "source": "cve@mitre.org"}, {"url": "http://blog.elgg.org/pg/blog/evan/read/209/elgg-185-released", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://elgg.org/getelgg.php?forward=elgg-1.8.5.zip", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/49129", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/53623", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75757", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors."}, {"lang": "es", "value": "engine/lib/access.php en Elgg v1.8.5 antes no se borra las listas de acceso en cach\u00e9 correctamente durante el arranque del complemento, lo que permite a atacantes remotos leer las entidades privadas a trav\u00e9s de vectores no especificados."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elgg:elgg:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF23055F-E32F-47ED-9B11-B8F58518ED32", "versionEndIncluding": "1.8.4"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C80BB5F-1E77-4202-A4D3-3D96FA0969ED"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D07839A-E8E3-4C7C-9A05-C359FF9A2819"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E34DCD3E-7A8D-4A97-838A-D5A0159068EB"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "663F1815-EAF8-40A3-BAC8-29E359245972"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BFE9E2-F931-4197-97CA-5D58FBB763B9"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "779523EE-7B82-4E10-ABC5-A64D9C0EDBE9"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7816C52C-5360-4987-8975-9C9C9EFCACBB"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7AB456D-F688-4E0C-920E-E70C3351A463"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BDD08B0-FA37-4E81-BD79-8107F8EA5EBF"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0658B074-66D8-410C-AB08-BC6C7A79B2FF"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F04D49A2-A15A-41A8-A3C3-801F608E7345"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D7D1917-81AB-46C4-9176-6961A0FBCA6E"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3EC5E77-D90E-451F-BB00-20DBEBDD6FAC"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6383A2DA-20C8-484B-854A-D4A885D1E50A"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA7509A5-1413-4BAD-93C7-92EE464BCFA2"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1729E9B0-AE66-49FA-A74F-8C0622DE0962"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2079FBBD-1802-4AC8-B40C-F543D03D8A1E"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFF01033-1BE8-45FC-B631-31E65BC8E6A3"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.7.18:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E9BCD0C-C890-470A-B185-97301A58712F"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.8.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6869E5FD-652D-4927-A21B-F530996DFD91"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E19B1613-CF87-4219-82CD-DA84FEB68F4A"}, {"criteria": "cpe:2.3:a:elgg:elgg:1.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C39479E6-2E23-403E-B2CE-FA169C821EE9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}