Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
This module has an information disclosure vulnerability.
You can see this vulnerability by:
1. Enabling the module
2. Create a node, titled 'this should not be accessible', save it as unpublished.
3. As a user without permission to view unpublished nodes, visit '/dynamic_entity_reference/autocomplete/node/accessible' ... the unpublished node's title is shown to the user, when it shouldn't be.
The equivalent autocomplete path in the entityreference module includes a filter for supported entity types that have a status field (e.g. nodes & users), via its type-specific selection handler classes. It also has an access callback that verifies the field instance being used, which helps limit what is accessible, as only entity types that are actually configured for referencing from a field, can be listed from its callback. (Whereas the DER module's version works without any access callback, returning data for any entity type.)
Steps to reproduce
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
| Comment | File | Size | Author |
|---|---|---|---|
| 176846.patch | 1.5 KB | larowlan |
Comments
Comment #3
larowlan