Drupal Security TeamDRUPAL-SA-CONTRIB-2014-072SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
66.0%
The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].
The module doesn’t sufficiently check access to content when displaying links to nodes and users. This makes it possible to see node titles, usernames and potentially other data depending on the site configuration.
This vulnerability is mitigated by the fact that a site must use node access or permissions to prevent some users from viewing some nodes or users.
CVE identifier(s) issued
- CVE-2014-5179
Versions affected
All versions of Freelinking and Freelinking for case tracker
Drupal core is not affected. If you do not use the contributed freelinking or freelinking Case tracker modules, there is nothing you need to do.
Solution
Uninstall the module, it is no longer maintained.
Also see the freelinking and freelinking case tracker project pages.
Reported by
References
drupal.org/contact
drupal.org/project/freelinking
drupal.org/project/freelinking_casetracker
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/76026
drupal.org/writing-secure-code
twitter.com/drupalsecurity
www.drupal.org/project/freelinking_casetracker
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
66.0%