Vulnerability from drupal
Published
2020-05-06 17:02
Modified
2023-08-11 17:54
Summary
Details

This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform_node, node, or entity access checks may not achieve the intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.

Credits
Dan Chadwick www.drupal.org/user/504278
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c5.11.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/webform"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c5.11.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/504278"
      ],
      "name": "Dan Chadwick"
    }
  ],
  "details": "This module enables you to build forms and surveys in Drupal.\n\nThe Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform\\_node, node, or entity access checks may not achieve the intended access results for Webform Node content.\n\nThere is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.",
  "id": "DRUPAL-CONTRIB-2020-017",
  "modified": "2023-08-11T17:54:03.000Z",
  "published": "2020-05-06T17:02:39.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2020-017"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.