Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017
  • Date: Wed, 16 Jun 2021 16:30:19 +0000 (UTC)
  • Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-017

Project: Block Content Revision UI [1]
Date: 2021-June-16
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain
entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role
with any of the permissions provided by Block Content Revision UI, and
another affected module must be enabled.

Solution: 
Install the latest version:

* If you use the Block Content Revision UI module for Drupal 8.x, upgrade to
Block Content Revision UI 2.127.1 [3]

Reported By: 
* Michael Strelan [4]

Fixed By: 
* Michael Strelan [5]

Coordinated By: 
* Greg Knaddison [6] of the Drupal Security Team
* Lee Rowlands [7] of the Drupal Security Team
* Drew Webber [8] of the Drupal Security Team


[1] https://www.drupal.org/project/block_content_revision_ui
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_content_revision_ui/releases/2.127.1
[4] https://www.drupal.org/user/314289
[5] https://www.drupal.org/user/314289
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017, security-news, 16.06.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang