The Ctools module for Drupal is prone to a cross-site scripting vulnerability and an access-bypass vulnerability.
An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials and to bypass security restrictions, or perform unauthorized actions; this may aid in launching further attacks.
Information
Drupal ctools 7.x-1.6
Drupal ctools 7.x-1.5
Drupal ctools 7.x-1.4
Drupal ctools 7.x-1.3
Drupal ctools 7.x-1.2
Drupal ctools 7.x-1.1
Drupal ctools 6.x-1.9
Drupal ctools 6.x-1.8
Drupal ctools 6.x-1.7
Drupal ctools 6.x-1.6
Drupal ctools 6.x-1.5
Drupal ctools 6.x-1.4
Drupal ctools 6.X-1.3
Drupal ctools 6.x-1.2
Drupal ctools 6.X-1.13
Drupal ctools 6.X-1.12
Drupal ctools 6.X-1.10
Drupal ctools 6.X-1.1
Drupal ctools 6.x-1.14
Exploit
Attackers can use a browser to exploit the access-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.
References:
- ctools Homepage (Drupal)
- Drupal Homepage (Drupal)
- Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141 (Drupal)