Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
Problem types
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Product status
3.0.0 (semver) before 3.0.12
3.1.0 (semver) before 3.1.4
Credits
Changhai Qi (qichanghai)
Jürgen Haas (jurgenhaas)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Dave Long (longwave)
References
www.drupal.org/sa-contrib-2026-074