DRUPAL-CONTRIB-2020-028

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/apigee_edge/DRUPAL-CONTRIB-2020-028.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-028

Published

2020-07-22T18:48:10Z

Modified

2025-12-10T23:33:45.092234Z

Summary

[none]

Details

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

The "Apigee Edge Teams" submodule has an information disclosure vulnerability. The "Add team member" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.

This vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the "Manage team members" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).

References

https://www.drupal.org/sa-contrib-2020-028

Credits

- Arlina Espinoza Rhoton
- - https://www.drupal.org/user/1055344

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/apigee_edge

Package

Name: drupal/apigee_edge
Purl: pkg:composer/drupal/apigee_edge

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.12.0

Database specific

{
    "constraint": "<1.12.0"
}

Database specific

affected_versions

"<1.12.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/apigee_edge/DRUPAL-CONTRIB-2020-028.json"