Drupal Biblio Autocomplete Module SQL Injection and Access Bypass Vulnerabilities

Bugtraq ID:	69091
Class:	Input Validation Error
CVE:	CVE-2014-5250 CVE-2014-5249
Remote:	Yes
Local:	No
Published:	Aug 06 2014 12:00AM
Updated:	Aug 19 2014 12:21AM
Credit:	Carsten Logemann
Vulnerable:
Not Vulnerable:

Drupal Biblio Autocomplete Module SQL Injection and Access Bypass Vulnerabilities

The Biblio Autocomplete module for Drupal is prone to an SQL-injection vulnerability and an access-bypass vulnerability.

Exploiting these issues could allow an attacker to bypass certain security restrictions and perform unauthorized actions, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions are vulnerable:

Biblio Autocomplete 6.x versions prior to 6.x-1.1 are vulnerable.
Biblio Autocomplete 7.x versions prior to 7.x-1.5 are vulnerable.

Drupal Biblio Autocomplete Module SQL Injection and Access Bypass Vulnerabilities

An attacker can exploit these issues using a browser.

Drupal Biblio Autocomplete Module SQL Injection and Access Bypass Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Drupal Biblio Autocomplete Module SQL Injection and Access Bypass Vulnerabilities

References: