4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
The email module provides a field type (CCK / FieldAPI) for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address
is.
The module didn’t sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the field itself.
This vulnerability is mitigated by needing to to use a field permission module (other than CCK’s Content Permissions) with those email fields and need to have the field contact field formatter configured for either full or teaser display modes.
CVE: Cross-site Scripting: CVE-2012-5587; Access Bypass: CVE-2012-5588
Furthermore the mailto link wasn’t sanitized when output to the screen. This vulnerability is mitigated by the fact that Drupal’s form validation for emails prevents malicious emails and would need to be bypassed to exploit this vulnerability, e.g. by importing data from external sources and not doing validation.
CVE: Requested
Drupal core is not affected. If you do not use the contributed Email Field module, there is nothing you need to do.
Install the latest version:
Also see the Email Field project page.