[IT-SecNots] [Security-news] Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-022

Project: Block Content Revision UI [1]
Date: 2021-June-30
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides a revision UI for Block Content entities.

The module doesn't sufficiently respect access restrictions to certain
entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role
with any of the permissions provided by Block Content Revision UI, and
another affected module must be enabled.

Solution: 
Install the latest version:

  * If you use the Block Content Revision UI module for Drupal 8.x, upgrade 
to
    Block Content Revision UI 2.127.2 [3]

Reported By: 
  * Adam  [4]

Fixed By: 
  * Adam  [5]
  * Michael Strelan [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Damien McKenna [8] of the Drupal Security Team


[1] https://www.drupal.org/project/block_content_revision_ui
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_content_revision_ui/releases/2.127.2
[4] https://www.drupal.org/user/1036766
[5] https://www.drupal.org/user/1036766
[6] https://www.drupal.org/user/314289
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news