196 matches found
SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...
CVE-2013-2123
The CVE-2013-2123 issue affects the Drupal module Node access user reference (nodeaccess_userreference) for Drupal 6.x-3.x (before 6.x-3.5) and Drupal 7.x-3.x (before 7.x-3.10). The root cause is inadequate access restriction for content containing a user reference field when author update/delete...
Design/Logic Flaw
The Chaos Tool Suite ctools module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list...
CVE-2013-1925
The Chaos Tool Suite ctools module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list...
CVE-2013-1925
CVE-2013-1925 affects the Chaos Tool Suite (ctools) for Drupal, specifically 7.x-1.x prior to 7.x-1.3. The vulnerability arises because the module does not properly restrict node access when generating an autocomplete list of suggested node titles, potentially exposing restricted titles to remote...
Drupal Node Access User Reference模块访问绕过漏洞
Bugtraq ID:60211 CVE ID:CVE-2013-2123 Drupal是一个基于PHP语言编写的开发型CMF(内容管理框架)。 Drupal Node Access User Reference模块允许对坐着,引用用户和非引用用户分配不同的访问权限。当作者创建包含用户引用字段的内容,并坐着用户账户不就被删除后,该作者创建的内容可被匿名用户编辑。 0 Drupal Node Access User Reference 6.x Drupal Node Access User Reference 7.x 厂商解决方案 Drupal Node Access User...
SA-CONTRIB-2013-049 - Node access user reference - Access Bypass
This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field with author update/delete grants enabled and the author's user account is later deleted, content created by them...
Mandriva Linux Security Advisory : drupal (MDVSA-2013:074)
Updated drupal packages fix security vulnerabilities : Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain...
SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass
This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they shou...
SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported
This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE identifiers issued CVE-2013-0257 Versions...
CVE-2012-4491
The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by nodeaccess modules, which allows remote attackers to access restricted nodes via unspecified vectors...
CVE-2012-4483
The commonsdiscussionviewsdefaultviews function in modules/features/commonsdiscussion/commonsdiscussion.viewsdefault.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensiti...
Design/Logic Flaw
The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact...
CVE-2012-4500
The CVE-2012-4500 entry concerns Drupal’s Announcements module (6.x-1.x) prior to version 6.x-1.5. The vulnerability allows remote authenticated users who have the 'access announcements' permission to bypass node access restrictions, potentially leading to additional unspecified impact. Patch/fix...
CVE-2012-4491
The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by nodeaccess modules, which allows remote attackers to access restricted nodes via unspecified vectors...
CVE-2012-2153
Removed by vendor...
CVE-2012-2153
CVE-2012-2153 affects Drupal 7.x prior to 7.14. The issue is an improper restriction of access to nodes in a list when using a contributed node access module, allowing remote authenticated users with the “Access the content overview page” permission to read all published nodes via the admin/conte...
SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)
This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact...
SA-CONTRIB-2012-117 - Location - Access Bypass
The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permission...
SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass
Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature a central module in the distribution includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node acces...