VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2015· Updated May 6, 2026

CVE-2015-3404

CVE-2015-3404

Description

The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Certify module for Drupal 6.x before 6.x-2.3 fails to check node access, allowing authenticated users to view PDF certificates they should not have access to.

Vulnerability

The Certify module for Drupal 6.x, versions prior to 6.x-2.3, does not properly perform node access checks when showing and creating PDF certificates [4]. This allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information [4]. The vulnerability is present in the 6.x-2.x branch before 6.x-2.3 [3][4].

Exploitation

An attacker must be a remote authenticated user on the Drupal site and must have completed the conditions required for a certificate [4]. The attacker can then view or create PDF certificates for nodes they should not have access to, by exploiting the missing node access checks [4]. No special privileges beyond authentication are required.

Impact

Successful exploitation leads to unauthorized disclosure of PDF certificate information [4]. The attacker gains access to certificates that should be restricted, potentially revealing sensitive data contained in those certificates. The impact is limited to information disclosure; no code execution or privilege escalation is reported.

Mitigation

The fix is included in Certify 6.x-2.3, released on 14 January 2015 [3][4]. Users should upgrade to version 6.x-2.3 immediately. No workarounds are mentioned in the references. The module is for Drupal 6.x, which is itself end-of-life, but the module fix addresses this specific vulnerability.

References
  1. certify 6.x-2.3
  2. SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Certify Project/Certify2 versions
    cpe:2.3:a:certify_project:certify:6.x-2.2:*:*:*:*:drupal:*:*+ 1 more
    • cpe:2.3:a:certify_project:certify:6.x-2.2:*:*:*:*:drupal:*:*
    • (no CPE)range: <6.x-2.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.