Vulnerability Details : CVE-2014-1400
The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors.
Vulnerability category: BypassGain privilege
Products affected by CVE-2014-1400
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:a:entity_api_project:entity_api:7.x-1.0:*:*:*:*:drupal:*:*
- cpe:2.3:a:entity_api_project:entity_api:7.x-1.1:*:*:*:*:drupal:*:*
- cpe:2.3:a:entity_api_project:entity_api:7.x-1.2:*:*:*:*:drupal:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-1400
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1400
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2014-1400
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1400
-
http://www.openwall.com/lists/oss-security/2014/01/09/3
oss-security - Re: CVE Request: drupal7-entity: multiple access bypass vulnerabilitiesMailing List;Third Party Advisory
-
https://www.drupal.org/node/2169595
SA-CONTRIB-2014-001 - Entity API - Access Bypass | Drupal.orgPatch;Vendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126816.html
[SECURITY] Fedora 20 Update: drupal7-entity-1.3-1.fc20Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126811.html
[SECURITY] Fedora 19 Update: drupal7-entity-1.3-1.fc19Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90396
Entity API module for Drupal entity_access() security bypass CVE-2014-1400 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/64729
Drupal Entity API Module Multiple Access Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1050802
1050802 – (CVE-2014-1398, CVE-2014-1399, CVE-2014-1400) CVE-2014-1398 CVE-2014-1399 CVE-2014-1400 drupal7-entity: multiple access bypass vulnerabilitiesIssue Tracking;Third Party Advisory
Jump to