[IT-SecNots] [Security-news] Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-017

Project: Webform [1]
Date: 2020-May-06
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a Drupal
node. The Webform Node module does not implement access checking in the same
manner as other nodes and entities. As such, writers of custom modules which
implement webform_node, node, or entity access checks may not achieve the
intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only
exists on sites with custom code and a node access module in use.

Solution: 
Install the latest version:

  * If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
    [3]

Also see the Webform [4] project page.

Reported By: 
  * Dan Chadwick  [5]

Fixed By: 
  * Dan Chadwick  [6]
  * Jacob Rockowitz  [7]
  * Liam Morland  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/504278
[6] https://www.drupal.org/user/504278
[7] https://www.drupal.org/user/371407
[8] https://www.drupal.org/user/493050
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news