CVE-2013-4273 - OpenCVE

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors. NOTE: this identifier was SPLIT per ADT5 due to different researcher organizations. CVE-2013-7391 was assigned for the View vector.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Entity Api Project	Entity Api

Configuration 1 [-]

OR	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:::::drupal::
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta1::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta10::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta11::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta2::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta3::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta4::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta5::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta6::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta7::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta8::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta9::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc1::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc2::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc3::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.1:::::drupal::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2013/08/22/2
https://drupal.org/node/2065197
https://drupal.org/node/2065207	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2014-07-19T18:00:00

Updated: 2014-07-19T18:57:01

Reserved: 2013-06-12T00:00:00

Link: CVE-2013-4273

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-07-19T18:55:01.727

Modified: 2015-02-27T17:42:29.350

Link: CVE-2013-4273

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors. NOTE: this identifier was SPLIT per ADT5 due to different researcher organizations. CVE-2013-7391 was assigned for the View vector."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-07-19T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20130822 Re: CVE request for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"tags": ["x_refsource_MISC"], "url": "https://drupal.org/node/2065207"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://drupal.org/node/2065197"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4273", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors. NOTE: this identifier was SPLIT per ADT5 due to different researcher organizations. CVE-2013-7391 was assigned for the View vector."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20130822 Re: CVE request for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"name": "https://drupal.org/node/2065207", "refsource": "MISC", "url": "https://drupal.org/node/2065207"}, {"name": "https://drupal.org/node/2065197", "refsource": "CONFIRM", "url": "https://drupal.org/node/2065197"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4273", "datePublished": "2014-07-19T18:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2014-07-19T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "433019DB-4AA8-47A2-8F40-DF942F87177F", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta1:*:*:*:drupal:*:*", "matchCriteriaId": "8CD17D74-DF27-41F1-850A-8F9FEC887F86", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta10:*:*:*:drupal:*:*", "matchCriteriaId": "FFAE7C60-0497-4A75-A2D9-2BA89CB42F0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta11:*:*:*:drupal:*:*", "matchCriteriaId": "B5CE0E97-770A-4239-A021-F3A3FB242EA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta2:*:*:*:drupal:*:*", "matchCriteriaId": "877CD3BE-0F6F-4343-A752-7698ACFFCD1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta3:*:*:*:drupal:*:*", "matchCriteriaId": "B592B392-1FAE-4BEF-99DC-7C5AB84E15C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta4:*:*:*:drupal:*:*", "matchCriteriaId": "83E7DE0A-D756-459B-99CE-621026A29FB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta5:*:*:*:drupal:*:*", "matchCriteriaId": "6E349B3F-8AD3-4E1C-B7BE-BCF5552C4BBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta6:*:*:*:drupal:*:*", "matchCriteriaId": "B38D7DCA-F83C-4D0F-B545-062B914FBE5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta7:*:*:*:drupal:*:*", "matchCriteriaId": "A8E2C960-9C71-4546-82AE-AEB5A83377CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta8:*:*:*:drupal:*:*", "matchCriteriaId": "5B194AA3-0869-4D2C-AC6D-AB6BB2C65091", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta9:*:*:*:drupal:*:*", "matchCriteriaId": "DB91C2BC-6188-4679-BDA9-F3B3D2DB395A", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "5A2F77EA-EE98-4399-A9B8-45104A94ECF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc2:*:*:*:drupal:*:*", "matchCriteriaId": "798ACA1B-1E81-48EA-ABED-9E0E18EE50EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc3:*:*:*:drupal:*:*", "matchCriteriaId": "6768BCC0-9F2C-45A8-9ADC-B6D7A650DC35", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "8C785FED-779E-4ECC-88D0-4BE90B3804AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors. NOTE: this identifier was SPLIT per ADT5 due to different researcher organizations. CVE-2013-7391 was assigned for the View vector."}, {"lang": "es", "value": "El m\u00f3dulo Entity API 7.x-1.x anterior a 7.x-1.2 para Drupal no restringe debidamente el acceso a comentarios de nodos, lo que permite a usuarios remotos autenticados leer los comentarios a trav\u00e9s de vectores no especificados. NOTA: este identificador fue dividido (SPLIT) por ADT5 debido a organizaciones diferentes de investigadores. CVE-2013-7391 fue asignado para el vector View."}], "id": "CVE-2013-4273", "lastModified": "2015-02-27T17:42:29.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-19T18:55:01.727", "references": [{"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"source": "secalert@redhat.com", "url": "https://drupal.org/node/2065197"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://drupal.org/node/2065207"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}