Drupal Security TeamDRUPAL-SA-CONTRIB-2015-106Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.2%
This module enables you to display an entityform as a block.
The module doesn’t sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role.
CVE identifier(s) issued
- CVE-2015-5493
Versions affected
- Entityform Block 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Entityform block module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Entityform Block module for Drupal 7.x, upgrade to Entityform Block 7.x-1.3
Also see the Entityform block project page.
Reported by
Fixed by
- Tim Whitney the module maintainer
Coordinated by
- Rick Manelius of the Drupal Security Team
- Aaron Ott Provisional member of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2483687
www.drupal.org/project/entityform_block
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/rickmanelius
www.drupal.org/u/timodwhit
www.drupal.org/user/154069
www.drupal.org/user/599438
www.drupal.org/writing-secure-code
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.2%