View online: https://www.drupal.org/sa-contrib-2018-013
Project: Entity API [1] Date: 2018-February-14 Security risk: *Moderately critical* 10∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Information Disclosure
Description: The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.
The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.
This vulnerability is mitigated by the fact that an attacker needs to be able to trigger the error condition in a way that protected data is exposed.
Solution: Install the latest version:
* If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.9 [3]
Reported By: * Klaus Purer [4]
Fixed By: * Klaus Purer [5] * Dick Olsson [6] * Wolfgang Ziegler [7]
Coordinated By: * Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/entity [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entity/releases/7.x-1.9 [4] https://www.drupal.org/user/262198 [5] https://www.drupal.org/user/262198 [6] https://www.drupal.org/user/239911 [7] https://www.drupal.org/user/16747 [8] https://www.drupal.org/u/mlhess