Field As Block Less Critical Information Disclosure Vulnerabilities
17 Feb. 2016
Summary
The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allow remote attackers to obtain sensitive field information by reading a cached block.
Credit:
The information has been provided by Laszlo Csecsy.
Vulnerable Systems:
* Block module 7.x-1.x before 7.x-1.4
Immune Systems:
* Block module 7.x-1.x after 7.x-1.4
This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output based on user permissions.