Vulnerability identifier: #VU430

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-6661

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerabiity allows an unathenticated user to obtain potentially sensitive infromation.
The weakness exists due to malicious user's possibility to see the titles of nodes which he wasn't allowed to see before.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive data.

Mitigation
Update 6.x to 6.37.
https://www.drupal.org/drupal-6.37-release-notes
Update 7.x to 7.39.
https://www.drupal.org/drupal-7.39-release-notes

Vulnerable software versions

Drupal: 6.2 - 6.36, 7.0 - 7.38

---

External links
http://www.drupal.org/SA-CORE-2015-003

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.