Vigil@nce - Drupal: privilege escalation via Edit Limit
June 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who has the "edit comments" permission, can use the
Edit Limit module of Drupal, in order to edit comments of other
users.
Impacted products: Drupal
Severity: 1/4
Creation date: 29/05/2013
DESCRIPTION OF THE VULNERABILITY
The Edit Limit module defines limits to Drupal users.
However, it does not correctly process access privileges to
comments.
An attacker, who has the "edit comments" permission, can therefore
use the Edit Limit module of Drupal, in order to edit comments of
other users.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-privilege-escalation-via-Edit-Limit-12877