oss-sec mailing list archives
Re: CVE Request: drupal7-entity: multiple access bypass vulnerabilities
From: cve-assign () mitre org
Date: Thu, 9 Jan 2014 06:11:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The entity module for Drupal The module's entity wrapper access API doesn't sufficiently protect comment, user and node statistics properties from unprivileged user access.
Use CVE-2014-1398.
The module's entity wrapper access API doesn't sufficiently check entity access on referenced entities such as taxonomy terms.
Use CVE-2014-1399. (We are interpreting "doesn't sufficiently protect" and "doesn't sufficiently check" as different flaw categories.)
The module's entity_access() API doesn't protect unpublished comments from being viewed by unprivileged users.
Use CVE-2014-1400. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzoMZAAoJEKllVAevmvmsO+sH/j/OSRR3n2FzkO3oV7w8MvH9 6kKhqfvft9DftI2AXP2W9/ugRr+RUgf0/8mFk+dJeJ5UMlGn/f8MajDXsSD66mc0 xR1PrAkkTwYiEcnVb/esFEEPoBKiezPRlPbaR1c33cuo82MS+VoUTVQmp3snz5v2 OcSW1AWX/zulIRxjASF/uAKD+HUQLtPf8Fx/0Qh1qFA7jA1A8MGQ94xvXbR+vk9b 3OhMLf1cY8ROG0nO+FSMDVly0InmYqABb9AByHXhf45gu/sCnYrmYxChbyLA8M5P fsEVpDeojUwBOAccJdRqIJZAO+lZ7lcwYVxSgLBCCJ6GiWAcwMZLsVIDbtyZIHc= =QQmr -----END PGP SIGNATURE-----
Current thread:
- CVE Request: drupal7-entity: multiple access bypass vulnerabilities Ratul Gupta (Jan 08)
- Re: CVE Request: drupal7-entity: multiple access bypass vulnerabilities cve-assign (Jan 09)