Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

2024-05-2200:00:00

Drupal Security Team

www.drupal.org

email contact

module

moderately critical

access bypass

sa-contrib-2024-020

vulnerability

entity access

field access

mail sending form

AI Score

Confidence

Low

JSON

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the “Email contact link” formatter is used. This vulnerability is mitigated by the fact that it requires the “Email contact link” formatter to be used.

Affected configurations

Vulners

Node

drupalemail_contactRange<2.0.4

VendorProductVersionCPE
drupalemail_contact*cpe:2.3:a:drupal:email_contact:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
drupal	email_contact	*	cpe:2.3:a:drupal:email_contact::::::::

References

www.drupal.org/project/email_contact/releases/2.0.4

www.drupal.org/u/greggles

www.drupal.org/u/xjm

www.drupal.org/user/1763952

www.drupal.org/user/272316

www.drupal.org/user/36762

www.drupal.org/user/56348

www.drupal.org/user/65776

AI Score

Confidence

Low

JSON