CVE-2013-7391 - OpenCVE

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Entity Api Project	Entity Api

Configuration 1 [-]

OR	cpe:2.3:a:entity_api_project:entity_api::::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:::::drupal::
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta1::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta10::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta11::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta2::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta3::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta4::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta5::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta6::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta7::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta8::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta9::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc1::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc2::::drupal::*
	cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc3::::drupal::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2013/08/22/2
https://drupal.org/node/2065197	Patch
https://drupal.org/node/2065207	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-07-19T18:00:00

Updated: 2014-07-19T18:57:01

Reserved: 2014-07-19T00:00:00

Link: CVE-2013-7391

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-07-19T18:55:01.820

Modified: 2015-02-27T17:42:34.663

Link: CVE-2013-7391

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-07-19T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20130822 Re: CVE request for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"tags": ["x_refsource_MISC"], "url": "https://drupal.org/node/2065207"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://drupal.org/node/2065197"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7391", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20130822 Re: CVE request for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"name": "https://drupal.org/node/2065207", "refsource": "MISC", "url": "https://drupal.org/node/2065207"}, {"name": "https://drupal.org/node/2065197", "refsource": "CONFIRM", "url": "https://drupal.org/node/2065197"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7391", "datePublished": "2014-07-19T18:00:00", "dateReserved": "2014-07-19T00:00:00", "dateUpdated": "2014-07-19T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:entity_api_project:entity_api:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "FB8D8F33-F053-4822-8279-2185A5943C08", "versionEndIncluding": "7.x-1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "433019DB-4AA8-47A2-8F40-DF942F87177F", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta1:*:*:*:drupal:*:*", "matchCriteriaId": "8CD17D74-DF27-41F1-850A-8F9FEC887F86", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta10:*:*:*:drupal:*:*", "matchCriteriaId": "FFAE7C60-0497-4A75-A2D9-2BA89CB42F0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta11:*:*:*:drupal:*:*", "matchCriteriaId": "B5CE0E97-770A-4239-A021-F3A3FB242EA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta2:*:*:*:drupal:*:*", "matchCriteriaId": "877CD3BE-0F6F-4343-A752-7698ACFFCD1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta3:*:*:*:drupal:*:*", "matchCriteriaId": "B592B392-1FAE-4BEF-99DC-7C5AB84E15C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta4:*:*:*:drupal:*:*", "matchCriteriaId": "83E7DE0A-D756-459B-99CE-621026A29FB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta5:*:*:*:drupal:*:*", "matchCriteriaId": "6E349B3F-8AD3-4E1C-B7BE-BCF5552C4BBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta6:*:*:*:drupal:*:*", "matchCriteriaId": "B38D7DCA-F83C-4D0F-B545-062B914FBE5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta7:*:*:*:drupal:*:*", "matchCriteriaId": "A8E2C960-9C71-4546-82AE-AEB5A83377CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta8:*:*:*:drupal:*:*", "matchCriteriaId": "5B194AA3-0869-4D2C-AC6D-AB6BB2C65091", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:beta9:*:*:*:drupal:*:*", "matchCriteriaId": "DB91C2BC-6188-4679-BDA9-F3B3D2DB395A", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "5A2F77EA-EE98-4399-A9B8-45104A94ECF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc2:*:*:*:drupal:*:*", "matchCriteriaId": "798ACA1B-1E81-48EA-ABED-9E0E18EE50EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:rc3:*:*:*:drupal:*:*", "matchCriteriaId": "6768BCC0-9F2C-45A8-9ADC-B6D7A650DC35", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations."}, {"lang": "es", "value": "El m\u00f3dulo Entity API 7.x-1.x anterior a 7.x-1.2 para Drupal, cuando utilice (a) el campo Views o (b) los plugins de \u00e1rea, permite a atacantes remotos leer entidades restringidos a trav\u00e9s de (1) el campo, (2) la cabecera o (3) el pie de un View. NOTA: este identificador fue dividido (SPLIT) del CVE-2013-4273 por ADT5 debido a organizaciones diferentes de investigadores."}], "id": "CVE-2013-7391", "lastModified": "2015-02-27T17:42:34.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-19T18:55:01.820", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/08/22/2"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://drupal.org/node/2065197"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://drupal.org/node/2065207"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}