Description
The Field Collection module provides a field type that allows grouping of fields into collections attached to entities.
The module's "field_collection_item_access()" function contained an early "return TRUE" for users with the 'edit field collections' permission, which ran before any parent entity access check. This allowed such users to view or edit field collection items attached to entities they were not permitted to access. A second flaw caused the function to pass NULL to "entity_access()" when the host entity could not be loaded (orphaned items), which may return TRUE for some entity types, granting access to items with no valid parent.
This vulnerability is mitigated by the fact that the 'edit field collections' permission is typically granted only to trusted editor roles, and exploitation requires a site where restricted entities coexist with field collection fields.
Solution
Install the latest version.
If you use the Field Collection module for Drupal 7, upgrade to field_collection 7.x-1.3:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES