3 matches found
CVE-2013-7066
The Entity reference module 7.x-1.x before 7.x-1.1-rc1 for Drupal allows remote attackers to read private nodes titles by leveraging edit permissions to a node that references a private node...
CVE-2013-7066
CVE-2013-7066 affects the Drupal contributed module Entity reference (7.x-1.x) . Versions prior to 7.x-1.1-rc1 allow remote attackers to read the titles of private nodes by exploiting edit permissions on a node that references a private node. Root cause: the reference mechanism can disclose priva...
SA-CONTRIB-2013-096 - Entity reference - Access bypass
By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user A that has access to the reference...