Vulnerability Description
The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Node Access User Reference Project | Nodeaccess Userreference Module | 6.x-3.0 |
| Drupal | Drupal | - |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2013/05/29/9
- https://drupal.org/node/2007072Patch
- https://drupal.org/node/2007078Patch
- https://drupal.org/node/2007122Vendor Advisory
- http://www.openwall.com/lists/oss-security/2013/05/29/9
- https://drupal.org/node/2007072Patch
- https://drupal.org/node/2007078Patch
- https://drupal.org/node/2007122Vendor Advisory
FAQ
What is CVE-2013-2123?
CVE-2013-2123 is a vulnerability with a CVSS score of 5.8 (MEDIUM). The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author updat...
How severe is CVE-2013-2123?
CVE-2013-2123 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2123?
Check the references section above for vendor advisories and patch information. Affected products include: Node Access User Reference Project Nodeaccess Userreference Module, Drupal Drupal.