CVE-2014-1398

CVE-2014-1398 affects Drupal: the Entity API module (7.x-1.x) before 7.x-1.3 may let remote authenticated users bypass access restrictions on comment, user and node statistics properties via unspecified vectors. Connected documents confirm fixes in 7.x-1.3 (e.g., Fedora updates for drupal7-entity...

CVE-2014-1400

CVE-2014-1400 affects Drupal’s Entity API module (7.x-1.x) before 7.x-1.3. The entity_access API flaw could allow remote authenticated users to bypass access restrictions and read unpublished comments via unspecified vectors. The issue has a published remediation: upgrade to 7.x-1.3. If exploitat...

CVE-2014-1399

CVE-2014-1399 affects Drupal’s Entity API module (Entity API, 7.x-1.x) prior to 7.x-1.3. The vulnerability in the entity wrapper access API may allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors. The NVD entry notes remote authen...

CVE-2013-7391

The vulnerability CVE-2013-7391 affects the Drupal contributed Entity API module (7.x-1.x) prior to 7.x-1.2. When using the Views field or area plugins, it allows remote attackers to read restricted entities via the View’s field, header, or footer. This is caused by insufficient access checks in ...

CVE-2013-4273

The Drupal Entity API module (7.x-1.x) before 7.x-1.2 fails to properly enforce access restrictions for node comments when used with Views field/area plugins, allowing remote authenticated users to read restricted comments via a View (and is split from CVE-2013-4273’s View vector). The issue spec...

CVE-2015-2197

CVE-2015-2197 affects Drupal’s Entity API module (7.x-1.x) before 7.x-1.6. The vulnerability is an XSS via field labels exposed through the Token API, caused by insufficient sanitization of user-supplied input. Impact: remote authenticated users can inject arbitrary script/HTML. Mitigation: upgra...