Vigil@nce - Drupal Entity reference: information disclosure
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the Drupal Entity reference module, in order
to obtain sensitive information.
Impacted products: Drupal Modules
Severity: 1/4
Creation date: 21/11/2013
DESCRIPTION OF THE VULNERABILITY
The Drupal Entity reference module can be used to autocomplete a
field.
However, the autocompletion allows an attacker to read the title
of a node.
An attacker can therefore use the Drupal Entity reference module,
in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Entity-reference-information-disclosure-13813