CVE-2013-7435

MEDIUM

Evergreen <2.5.9, <2.6.7, <2.7.4 - Info Disclosure

Title source: llm
STIX 2.1

Description

The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.

References (7)

Core 7
Core References
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/03/04/3
Issue Tracking, Patch x_refsource_confirm
https://bugs.launchpad.net/evergreen/+bug/1206589
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/

Scores

CVSS v3 6.5
EPSS 0.0220
EPSS Percentile 80.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
evergreen-ils/evergreen < 2.5.9
Published Feb 01, 2018
Tracked Since Feb 18, 2026