LiveActive security incident?Get immediate response
CVE Record

CVE-2015-8095: The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly r...

The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A Drupal site using the vulnerable Monster Menus module could expose content that staff believed was hidden in the recycle bin. The issue is information disclosure, not confirmed code execution. Business urgency depends on whether affected sites stored sensitive pages or nodes that were removed from normal view.

Executive priority

Prioritize affected public-facing Drupal sites that used Monster Menus to manage sensitive content. The issue can expose information, but available sources do not show active exploitation or full severity details. Patch through the Drupal module update process and validate whether confidential recycled content was reachable.

Technical view

CVE-2015-8095 affects Monster Menus for Drupal, versions 7.x-1.21 before 7.x-1.24. The recycle bin feature did not properly remove nodes from view, allowing remote attackers to obtain sensitive information through an unspecified URL pattern. The public source bundle does not provide CVSS, CWE, authentication requirements, or detailed exploit mechanics.

Likely exposure

Exposure is likely limited to Drupal deployments using Monster Menus 7.x-1.21, 7.x-1.22, or 7.x-1.23, especially where recycled nodes contained confidential content. Sites not using Monster Menus, not on Drupal, or already upgraded to 7.x-1.24 or later are not indicated as affected by the provided sources.

Exploitation context

The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The CVE says remote attackers may obtain sensitive information, but the URL pattern is unspecified. Treat this as a confidentiality risk requiring inventory and version validation rather than assuming known exploitation.

Researcher notes

Evidence is sparse: no CVSS vector, CWE, detailed vulnerable URL pattern, or exploit status is supplied. The main research task is confirming module presence, exact version, and whether recycled nodes retained unintended visibility. Avoid reproducing unspecified URL access patterns outside authorized validation.

Mitigation direction

  • Upgrade Monster Menus to 7.x-1.24 or later where affected.
  • Review Drupal.org advisory guidance before applying changes.
  • Restrict access to sensitive recycled or unpublished content where possible.
  • Remove sensitive content from vulnerable recycle bins until upgraded.
  • Confirm backups and change plans before modifying production Drupal modules.

Validation and detection

  • Inventory Drupal sites for the Monster Menus module.
  • Confirm installed Monster Menus versions against 7.x-1.24.
  • Identify recycled nodes that may contain sensitive information.
  • Review web access logs for unusual access to recycled or hidden content.
  • Document whether affected content was public, internal, or regulated.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2015-8095 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.