Vulnerability Description
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Notify Project | Notify | 7.x-1.0 |
Related Weaknesses (CWE)
References
- https://www.drupal.org/node/2320693Patch
- https://www.drupal.org/node/2320741Vendor Advisory
- https://www.drupal.org/node/2320693Patch
- https://www.drupal.org/node/2320741Vendor Advisory
FAQ
What is CVE-2014-9154?
CVE-2014-9154 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node title...
How severe is CVE-2014-9154?
CVE-2014-9154 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9154?
Check the references section above for vendor advisories and patch information. Affected products include: Notify Project Notify.