Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-048
- Project: Field API Pane Editor (FAPE) (third-party module)
- Version: 7.x
- Date: 2014-April-30
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module.
The module doesn't sufficiently verify the user has access to modify the entity the field is attached to. Unless another module was installed which restricted access to edit the fields, any user can edit any field on any entity on the site.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Field API Pane Editor (FAPE) module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Field API Pane Editor (FAPE) module for Drupal 7.x, upgrade to Field API Pane Editor (FAPE) 7.x-1.2.
Also see the Field API Pane Editor (FAPE) project page.
Reported by
Fixed by
- David Rothstein of the Drupal Security Team.
- Damien McKenna, the module maintainer.
Coordinated by
- David Snopek of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
