CVE-2012-2296

Janrain Engage for Drupal 6.x/7.x < 2.2 - Sensitive Information Exposure

Title source: llm
STIX 2.1

Description

The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability.

References (7)

Core 7
Core References
Patch x_refsource_confirm
http://drupal.org/node/1515114
Patch, Vendor Advisory x_refsource_misc
http://drupal.org/node/1515282
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/04/10/12
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/05/03/2
Patch x_refsource_confirm
http://drupal.org/node/1515120
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74616
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/05/03/1

Scores

EPSS 0.0156
EPSS Percentile 72.3%

Details

CWE
CWE-200
Status published
Products (9)
janrain/rpx 6.x-1.0 beta1 (4 CPE variants)
janrain/rpx 6.x-1.1 rc2
janrain/rpx 6.x-1.2 (2 CPE variants)
janrain/rpx 6.x-1.3
janrain/rpx 6.x-1.4
janrain/rpx 6.x-2.1 (6 CPE variants)
janrain/rpx 7.x-2.0
janrain/rpx 7.x-2.1 (5 CPE variants)
janrain/rpx 7.x-2.x dev
Published Jul 25, 2012
Tracked Since Feb 18, 2026