2 matches found
CVE-2013-4273
The Drupal Entity API module (7.x-1.x) before 7.x-1.2 fails to properly enforce access restrictions for node comments when used with Views field/area plugins, allowing remote authenticated users to read restricted comments via a View (and is split from CVE-2013-4273’s View vector). The issue spec...
SA-CONTRIB-2013-068 - Entity API - Access Bypass
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...