[IT-SecNots] [Security-news] Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-060

Project: Existing Values Autocomplete Widget [1]
Date: 2019-July-24
Security risk: *Critical* 17∕25
AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module provides an autocomplete widget for text fields that suggests all
existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before
returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the
route to the autocomplete callback controller though this is easily known.

Solution: 
Install the latest version:

  * If you use the Existing Values Autocomplete Widget module for Drupal 8.x,
    upgrade to Existing Values Autocomplete Widget 8.x-1.2 [3]

Also see the Existing Values Autocomplete Widget [4] project page.

Reported By: 
  * David Stinemetze  [5]

Fixed By: 
  * Art Williams  [6]

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/existing_values_autocomplete_widget
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3069768
[4] https://www.drupal.org/project/existing_values_autocomplete_widget
[5] https://www.drupal.org/user/2508346
[6] https://www.drupal.org/user/77599
[7] https://www.drupal.org/user/102818
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news