Module: csvexport
Patched Version:1.3
Download Link: http://www.websitebakers.com/pages/modules/various/csvexport.phpRisks: Information disclosure, Elevation of priviledges, Data loss
Description: Only installations with different user groups, where at least one group has only write rights to at least one out of many existing pages of this module, are at risk. Wait at least until 15. January 2011 for exact description of the vulnerabilities (until most systems are patched).
Risk level: Low if your system does not belong to the group on risk, high otherwise
Suggestions: In case your system is at risk (see above) patch it as soon as possible!
Important hintMost other WB modules are at risk as well, because they contain exactly the same bugs. Ask their authors for a fix if you need it!
If you are an module author, check the source code of your modules!
Error classification:
http://cwe.mitre.org/data/definitions/285.htmlBy the way, it would have been totally unnecessary to patch this small module if the core of WB 2.8 would make a better job when checking the access rights of a user for a page in the backend!
WebsiteBaker Community Forum
