[IT-SecNots] [Security-news] The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-041

Project: The Better Mega Menu [1]
Date: 2021-September-22
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module provides an admin interface for creating drop down menus that
combine Drupal menu items with rich media content.

This module has a vulnerability whereby users can select blocks as a menu
item they don't have permission to view.

The vulnerability  is mitigated by the fact that it can only be exploited by
an attacker with the "Administer TB Mega Menu" permission.

Solution: 
Install the latest version:

  * If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu
    8.x-1.4 [3]

Reported By: 
  * Patrick Fey [4]

Fixed By: 
  * Patrick Fey [5]
  * Henry Odiete [6]
  * quondam [7]

Coordinated By: 
  * Damien McKenna [8] of the Drupal Security Team


[1] https://www.drupal.org/project/tb_megamenu
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tb_megamenu/releases/8.x-1.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/998680
[6] https://www.drupal.org/user/3578705
[7] https://www.drupal.org/user/327869
[8] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news