EUVD-2015-2304

Malware in sbrugna...

CVE-2015-2197

Cross-site scripting XSS vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API...

CVE-2014-1399

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors...

CVE-2014-1398

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors...

CVE-2014-1398

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors...

CVE-2014-1398

CVE-2014-1398 affects Drupal: the Entity API module (7.x-1.x) before 7.x-1.3 may let remote authenticated users bypass access restrictions on comment, user and node statistics properties via unspecified vectors. Connected documents confirm fixes in 7.x-1.3 (e.g., Fedora updates for drupal7-entity...

CVE-2014-1400

CVE-2014-1400 affects Drupal’s Entity API module (7.x-1.x) before 7.x-1.3. The entity_access API flaw could allow remote authenticated users to bypass access restrictions and read unpublished comments via unspecified vectors. The issue has a published remediation: upgrade to 7.x-1.3. If exploitat...

CVE-2015-2197

Cross-site scripting XSS vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API...

Drupal Entity API Module Field Label Cross-Site Scripting Vulnerability

Drupal is an open source content management platform. A cross-site scripting vulnerability exists in the Drupal Entity API module field labels due to the program failing to properly filter user-supplied input. An attacker could be allowed to exploit this vulnerability to steal cookie-based...

Design/Logic Flaw

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the a Views field or b area plugins, allows remote attackers to read restricted entities via the 1 field, 2 header, or 3 footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher...

CVE-2013-7391

The vulnerability CVE-2013-7391 affects the Drupal contributed Entity API module (7.x-1.x) prior to 7.x-1.2. When using the Views field or area plugins, it allows remote attackers to read restricted entities via the View’s field, header, or footer. This is caused by insufficient access checks in ...

CVE-2013-4273

The Drupal Entity API module (7.x-1.x) before 7.x-1.2 fails to properly enforce access restrictions for node comments when used with Views field/area plugins, allowing remote authenticated users to read restricted comments via a View (and is split from CVE-2013-4273’s View vector). The issue spec...

CVE-2013-7391

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the a Views field or b area plugins, allows remote attackers to read restricted entities via the 1 field, 2 header, or 3 footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher...