Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025
  • Date: Wed, 16 Feb 2022 17:33:44 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-025

Project: Quick Edit [1]
Date: 2022-February-16
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This advisory addresses a similar issue to Drupal core - Moderately critical
- Information disclosure - SA-CORE-2022-004 [3].

The Quick Edit module does not properly check entity access in some
circumstances. This could result in users with the "access in-place editing"
permission viewing some content they are are not authorized to access.

Solution: 
Install the latest version:

* If you use the Quick Edit module for Drupal 9.x, upgrade to Quick Edit
1.0.1 [4]

Reported By: 
* Samuel Mortenson [5]

Fixed By: 
* Théodore Biadala [6]
* xjm [7] of the Drupal Security Team
* Alex Bronstein [8] of the Drupal Security Team
* Adam G-H [9]
* Drew Webber [10] of the Drupal Security Team
* Wim Leers [11]
* Ted Bowman [12]
* Dave Long [13]
* Derek Wright [14]
* Lee Rowlands [15] of the Drupal Security Team
* Samuel Mortenson [16]
* Joseph Zhao [17]


[1] https://www.drupal.org/project/quickedit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2022-004
[4] https://www.drupal.org/project/quickedit/releases/1.0.1
[5] https://www.drupal.org/user/2582268
[6] https://www.drupal.org/user/598310
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/78040
[9] https://www.drupal.org/user/205645
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/99777
[12] https://www.drupal.org/user/240860
[13] https://www.drupal.org/user/246492
[14] https://www.drupal.org/user/46549
[15] https://www.drupal.org/user/395439
[16] https://www.drupal.org/user/2582268
[17] https://www.drupal.org/user/1987218

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025, security-news, 16.02.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang