Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040
  • Date: Wed, 6 Jun 2018 16:28:51 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-040

Project: Entity Delete [1]
Date: 2018-June-06
Security risk: *Critical* 18∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Multiple Vulnerabilities

Description: 
This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use
cases, leading to access bypass. The module also does not protect against
Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker
must have a role with the permission "access content". There is no additional
mitigation for the Cross Site Request Forgery vulnerability.

Solution: 
Install the latest version:

* If you use the Entity Delete module for Drupal 8.x, upgrade to Entity
Delete 8.x-1.4 [3]

Also see the Entity Delete [4] project page.

Reported By: 
* Balazs Janos Tatar [5]Provisional Security Team Member

Fixed By: 
* Balazs Janos Tatar [6]Provisional Security Team Member
* A Ajay Kumar Reddy [7]

Coordinated By: 
* Balazs Janos Tatar [8]Provisional Security Team Member


[1] https://www.drupal.org/project/entity_delete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2977685
[4] https://www.drupal.org/project/entity_delete
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/3261994
[8] https://www.drupal.org/user/649590

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040, security-news, 06.06.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang