[Security-news] Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013
security-news at drupal.org
security-news at drupal.org
Wed Feb 14 20:59:57 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-013
Project: Entity API [1]
Date: 2018-February-14
Security risk: *Moderately critical* 10∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Information Disclosure
Description:
The Entity API module extends the entity API of Drupal core in order to
provide a unified way to deal with entities and their properties.
The module prints debugging information to the HTML output in certain error
conditions thereby causing an information disclosure vulnerability.
This vulnerability is mitigated by the fact that an attacker needs to be able
to trigger the error condition in a way that protected data is exposed.
Solution:
Install the latest version:
* If you use the Entity API module for Drupal 7.x, upgrade to Entity API
7.x-1.9 [3]
Reported By:
* Klaus Purer [4]
Fixed By:
* Klaus Purer [5]
* Dick Olsson [6]
* Wolfgang Ziegler [7]
Coordinated By:
* Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/entity
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity/releases/7.x-1.9
[4] https://www.drupal.org/user/262198
[5] https://www.drupal.org/user/262198
[6] https://www.drupal.org/user/239911
[7] https://www.drupal.org/user/16747
[8] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list