Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-011

HistoryJan 30, 2013 - 12:00 a.m.

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported

2013-01-3000:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

60.5%

JSON

This module creates images of user email addresses and email fields. The module doesn’t sufficiently check node access restrictions when displaying such fields.

This vulnerability is mitigated by the fact that it only impacts sites using node access.

CVE identifier(s) issued

CVE-2013-0257

Versions affected

All email2image 6.x-1.x and 6.x-2.x versions.

Drupal core is not affected. If you do not use the contributed email2image module, there is nothing you need to do.

Solution

Install the latest version:

If you use the email2image module for Drupal 6.x you should uninstall the module

Also see the email2image project page.

Reported by

Ayesh Karunaratne

Fixed by

Not applicable.

Coordinated by

Lee Rowlands of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/email2image

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/395439

drupal.org/user/796148

drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

60.5%

JSON

Related for DRUPAL-SA-CONTRIB-2013-011