oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: drupal7-entity: multiple access bypass vulnerabilities

From: cve-assign () mitre org
Date: Thu, 9 Jan 2014 06:11:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The entity module for Drupal

The module's entity wrapper access API doesn't sufficiently protect 
comment, user and node statistics properties from unprivileged user access.


Use CVE-2014-1398.



The module's entity wrapper access API doesn't sufficiently check entity 
access on referenced entities such as taxonomy terms.


Use CVE-2014-1399. (We are interpreting "doesn't sufficiently protect" and
"doesn't sufficiently check" as different flaw categories.)



The module's entity_access() API doesn't protect unpublished comments 
from being viewed by unprivileged users.


Use CVE-2014-1400.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzoMZAAoJEKllVAevmvmsO+sH/j/OSRR3n2FzkO3oV7w8MvH9
6kKhqfvft9DftI2AXP2W9/ugRr+RUgf0/8mFk+dJeJ5UMlGn/f8MajDXsSD66mc0
xR1PrAkkTwYiEcnVb/esFEEPoBKiezPRlPbaR1c33cuo82MS+VoUTVQmp3snz5v2
OcSW1AWX/zulIRxjASF/uAKD+HUQLtPf8Fx/0Qh1qFA7jA1A8MGQ94xvXbR+vk9b
3OhMLf1cY8ROG0nO+FSMDVly0InmYqABb9AByHXhf45gu/sCnYrmYxChbyLA8M5P
fsEVpDeojUwBOAccJdRqIJZAO+lZ7lcwYVxSgLBCCJ6GiWAcwMZLsVIDbtyZIHc=
=QQmr
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: