[IT-SecNots] [Security-news] Webform - Critical - Access bypass - SA-CONTRIB-2020-016

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-016

Project: Webform [1]
Date: 2020-May-06
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This webform module enables you to build 'Term select' and 'Term checkboxes'
elements.

The module doesn't sufficiently check term 'view' access when rendering the
'Term select' and 'Term checkboxes' elements.  Unpublished terms will always
appear in the 'Term select' and 'Term checkboxes' elements.

Solution: 
Install the latest version:

  * If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
    [3]

Also see the Webform [4] project page.

Reported By: 
  * James Gilliland  [5] of the Drupal Security Team

Fixed By: 
  * Jacob Rockowitz  [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/48673
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news