Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-034

HistoryMar 13, 2013 - 12:00 a.m.

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass

2013-03-1300:00:00

Drupal Security Team

www.drupal.org

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS

0.004

Percentile

74.9%

JSON

This module enables you to limit the visibility of the fields on the node edit form.
The module doesn’t sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options.

CVE identifier(s) issued

CVE-2013-1859

Versions affected

All 6.x-1.x versions

Drupal core is not affected. If you do not use the contributed Node Parameter Control module, there is nothing you need to do.

Solution

Uninstall the module. No patched version is available.

Also see the Node Parameter Control project page.

Reported by

Talbot

Fixed by

The module maintainer opted to mark the module as unsupported.

Coordinated by

Lee Rowlands of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/node_parameter_control

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/36138

drupal.org/user/395439

drupal.org/writing-secure-code

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS

0.004

Percentile

74.9%

JSON

Related for DRUPAL-SA-CONTRIB-2013-034