Drupal Security TeamDRUPAL-SA-CONTRIB-2015-161Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
51.0%
This module enables you to take a field from the current entity and place it elsewhere as a block.
The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it.
The problem will only occur when other modules alter field output based on user permissions.
CVE identifier(s) issued
- CVE-2015-8081
Versions affected
- Field as Block 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Field as Block module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Field as Block module for Drupal 7.x, upgrade to Field as Block 7.x-1.4
Also see the Field as Block project page.
Reported by
Fixed by
- László Csécsy
- Marc van Gend the module maintainer
Coordinated by
- Hunter Fox of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/fieldblock
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/greggles
www.drupal.org/u/hefox
www.drupal.org/user/158153
www.drupal.org/user/199303
www.drupal.org/writing-secure-code
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
51.0%