4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.0%
By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a ‘invalid id’ error and does not show the title of the entity.
However, if a user (A) that has access to the referenced entity (Node 1), makes that reference on a node (Node 2), and gives edit access to another user (B), user B will be able to see the node title for the referenced node (Node 2).
This vulnerability is mitigated by the fact that an attacker must get a user with access to a private node to reference it via another node that attacker has edit access to. No other node information is leaked other than the title.
Drupal core is not affected. If you do not use the contributed Entity reference module, there is nothing you need to do.
Install the latest version:
Also see the Entity reference project page.
drupal.org/contact
drupal.org/project/entityreference
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/22211
drupal.org/user/45640
drupal.org/user/57511
drupal.org/writing-secure-code
drupal.org/node/2140229
drupal.org/user/329570
drupal.org/user/36762
drupal.org/user/45640