CVE-2012-2072 in AddToAnyinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAny) module 6.x-3.x before 6.x-3.4 for Drupal allows remote authenticated users with the administer addtoany permission to inject arbitrary web script or HTML via unspecified vectors.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/19/2019

The CVE-2012-2072 vulnerability represents a critical cross-site scripting flaw within the Share Buttons (AddToAny) module for Drupal version 6.x-3.x prior to 6.x-3.4. This vulnerability specifically targets authenticated users who possess the administer addtoany permission, creating a significant security risk for Drupal-based websites that utilize this module. The flaw enables malicious actors to inject arbitrary web script or HTML code through unspecified vectors within the module's functionality, potentially compromising the integrity and security of the entire web application.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the AddToAny module's codebase. When authenticated users with administrative privileges manipulate module settings or configuration parameters, the system fails to properly sanitize user-supplied data before rendering it in web pages. This lack of proper sanitization creates an environment where malicious scripts can be executed within the context of other users' browsers, effectively bypassing standard security boundaries. The vulnerability operates as a classic reflected XSS attack vector, where user-controllable input is directly embedded into web responses without appropriate security measures.

The operational impact of CVE-2012-2072 extends beyond simple data theft or defacement, as it provides attackers with persistent access to the compromised Drupal site. An attacker with the administer addtoany permission can manipulate the module's configuration to inject malicious JavaScript that executes whenever other users view pages containing share buttons. This capability allows for session hijacking, credential theft, data exfiltration, and potential privilege escalation within the Drupal environment. The vulnerability's persistence is particularly concerning as it can remain undetected for extended periods, allowing attackers to establish long-term presence within the target network.

This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and maps to several ATT&CK techniques including T1059.007 for Scripting and T1566.001 for Phishing. The attack surface is particularly dangerous within enterprise environments where Drupal sites often serve as content management platforms for sensitive organizational data. Organizations utilizing this module are at risk of having their administrative interfaces compromised, potentially allowing attackers to modify content, create new user accounts, or even escalate privileges to full administrative control. The vulnerability's impact is amplified when considering that the affected module is commonly used across multiple websites, making it an attractive target for mass exploitation campaigns.

Mitigation strategies for CVE-2012-2072 primarily involve immediate patching of the AddToAny module to version 6.x-3.4 or later, which contains the necessary security fixes. Organizations should also implement comprehensive input validation and output encoding practices throughout their Drupal installations, particularly for modules that handle user-controllable configuration parameters. Network segmentation and privilege separation can help limit the damage if exploitation occurs, while regular security audits and monitoring of administrative activities can aid in early detection of potential compromise. Additionally, implementing Content Security Policy headers and disabling unnecessary administrative permissions can provide additional defense-in-depth measures against similar vulnerabilities.

Reservation

04/04/2012

Disclosure

08/14/2012

Moderation

accepted

Entry

VDB-61637

CPE

ready

EPSS

0.01064

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!