CVE-2012-5588

low

Published 2012-12-26 · Modified 2026-04-29

CVSS v3

—

CVSS v2

2.6

VIR risk

2.6

Description

The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupal.org/node/1853214

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupal.org/node/1852612

Application impact

Vendor	Product	Versions
epiqo	email	`6.x-1.0`
epiqo	email	`6.x-1.1`
epiqo	email	`6.x-1.2`
epiqo	email	`6.x-1.x`
drupal	drupal	`-`

References

http://drupal.org/node/1852612
http://drupal.org/node/1853214
http://www.openwall.com/lists/oss-security/2012/11/29/2
http://drupal.org/node/1852612
http://drupal.org/node/1853214
http://www.openwall.com/lists/oss-security/2012/11/29/2

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.