Vigil@nce - Drupal Entity API: access bypass
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can access to statistics or to comments via Drupal
Entity API, in order to obtain sensitive information.
– Impacted products: Drupal Modules, Fedora
– Severity: 2/4
– Creation date: 09/01/2014
DESCRIPTION OF THE VULNERABILITY
The Entity API module is used to unify the access to Drupal
entities.
However, access restrictions are not applied via this interface.
An attacker can therefore access to statistics or to comments via
Drupal Entity API, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Entity-API-access-bypass-14045