3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).
There is a vulnerability because a user that can create or edit content and has the “insert entity token” permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.
Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.
Install the latest version:
Also see the Token Insert Entity project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2571905
www.drupal.org/project/token_insert_entity
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/227
www.drupal.org/user/49851
www.drupal.org/user/682736
www.drupal.org/writing-secure-code