Vigil@nce - Drupal Spaces: information disclosure via Spaces OG
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can read the content of deleted Drupal Spaces groups,
in order to obtain sensitive information.
– Impacted products: Drupal Modules
– Severity: 2/4
– Creation date: 24/10/2013
DESCRIPTION OF THE VULNERABILITY
The Drupal Spaces module is used to partition configuration
options.
However, the Spaces OG submodule does not correctly process the
group deletion. Associated information then becomes readable.
An attacker can therefore read the content of deleted Drupal
Spaces groups, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Spaces-information-disclosure-via-Spaces-OG-13640