[IT-SecNots] [Security-news] Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-050

Project: Menu Item Extras [1]
Date: 2019-May-22
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery

Description: 
This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module
controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create content.

Solution: 
Install the latest version:

  * If you use the Menu Item Extras module for Drupal 8.x, upgrade to Menu
    Item Extras 8.x-2.5 [3]

Reported By: 
  * Graham Cole  [4]

Fixed By: 
  * Andriy Khomych  [5]
  * Graham Cole  [6]
  * Mykhailo Gurei  [7]
  * Oleh Vehera  [8]

Coordinated By: 
  * Michael Hess  [9]of the Drupal Security Team


[1] https://www.drupal.org/project/menu_item_extras
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/menu_item_extras/releases/8.x-2.5
[4] https://www.drupal.org/user/364457
[5] https://www.drupal.org/user/3287133
[6] https://www.drupal.org/user/364457
[7] https://www.drupal.org/user/2752909
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news