[IT-SecNots] [Security-news] Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-013

Project: Entity API [1]
Date: 2018-February-14
Security risk: *Moderately critical* 10∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Information Disclosure

Description: 
The Entity API module extends the entity API of Drupal core in order to
provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error
conditions thereby causing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able
to trigger the error condition in a way that protected data is exposed.

Solution: 
Install the latest version:

  * If you use the Entity API module for Drupal 7.x, upgrade to Entity API
    7.x-1.9 [3]

Reported By: 
  * Klaus Purer  [4]

Fixed By: 
  * Klaus Purer  [5]
  * Dick Olsson  [6]
  * Wolfgang Ziegler  [7]

Coordinated By: 
  * Michael Hess [8] of the Drupal Security Team


[1] https://www.drupal.org/project/entity
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity/releases/7.x-1.9
[4] https://www.drupal.org/user/262198
[5] https://www.drupal.org/user/262198
[6] https://www.drupal.org/user/239911
[7] https://www.drupal.org/user/16747
[8] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news