[IT-SecNots] [Security-news] Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-016

Project: Linky Revision UI [1]
Date: 2021-June-16
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides a revision UI to Linky entities.

The module doesn't sufficiently respect access restrictions to certain
entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role
with any of the permissions provided by Linky Revision UI, and another
affected module must be enabled.

Solution: 
Install the latest version:

  * If you use the Linky Revision UI module for Drupal 8.x, upgrade to Linky
    Revision UI 2.127.1 [3]

Reported By: 
  * Michael Strelan [4]

Fixed By: 
  * Michael Strelan [5]
  * Lee Rowlands [6] of the Drupal Security Team

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Drew Webber [8] of the Drupal Security Team
  * Lee Rowlands [9] of the Drupal Security Team


[1] https://www.drupal.org/project/linky_revision_ui
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/linky_revision_ui/releases/2.127.1
[4] https://www.drupal.org/user/314289
[5] https://www.drupal.org/user/314289
[6] https://www.drupal.org/user/395439
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news