[IT-SecNots] [Security-news] Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-055

Project: Custom Permissions [1]
Version: 8.x-1.x-dev
Date: 2019-July-10
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module enables you to add and manage additional custom permissions
through the administration UI.

The module doesn't sufficiently check for the proper access permissions to
this page.

This vulnerability is mitigated by the fact that an attacker must know the
route of the Custom Permissions administration form though this is easily
known.

Solution: 
Install the latest version:

  * If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to
    Custom Permissions 8.x-1.2 [3]

Also see the Custom Permissions [4] project page.

Reported By: 
  * Mohammed Razem  [5]

Fixed By: 
  * David Valdez  [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/8.x-1.2
[4] https://www.drupal.org/project/config_perms
[5] https://www.drupal.org/user/255384
[6] https://www.drupal.org/user/992990
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news