• Advisory ID: DRUPAL-SA-CONTRIB-2013-096
  • Project: Entity reference (third-party module)
  • Version: 7.x
  • Date: 2013-November-20
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity.

However, if a user (A) that has access to the referenced entity (Node 1), makes that reference on a node (Node 2), and gives edit access to another user (B), user B will be able to see the node title for the referenced node (Node 2).

This vulnerability is mitigated by the fact that an attacker must get a user with access to a private node to reference it via another node that attacker has edit access to. No other node information is leaked other than the title.

CVE identifier(s) issued

  • CVE-2013-7066

Versions affected

  • Entityreference 7.x-1.x versions prior to 7.x-1.1-rc1

Drupal core is not affected. If you do not use the contributed Entity reference module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Entity reference project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.