Vigil@nce - Drupal Token Insert Entity: information disclosure
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can insert a token with Drupal Token Insert Entity, in
order to obtain sensitive information.
– Impacted products: Drupal Modules not comprehensive.
– Severity: 2/4.
– Creation date: 03/12/2015.
DESCRIPTION OF THE VULNERABILITY
The Token Insert Entity module can be installed on Drupal.
However, an attacker can insert a token in an unpublished node, so
it becomes readable.
An attacker can therefore insert a token with Drupal Token Insert
Entity, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Token-Insert-Entity-information-disclosure-18425