Drupal Security TeamDRUPAL-SA-CONTRIB-2015-171Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).
There is a vulnerability because a user that can create or edit content and has the “insert entity token” permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.
CVE identifier(s) issued
- CVE-2015-8602
Versions affected
- Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Token Insert Entity module for Drupal 7.x, upgrade to Token Insert Entity 7.x-1.1
Also see the Token Insert Entity project page.
Reported by
- killes of the Drupal Security Team
Fixed by
- Juampy NR the module maintainer
Coordinated by
- Peter Wolanin of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2571905
www.drupal.org/project/token_insert_entity
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/227
www.drupal.org/user/49851
www.drupal.org/user/682736
www.drupal.org/writing-secure-code
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%