Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
  • Date: Wed, 25 May 2022 17:39:18 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-044

Project: Entity Browser Block [1]
Date: 2022-May-25
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
Entity Browser Block provides a Block Plugin for every Entity Browser on your
site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to
place a block - either through the core "Block Layout" page or via a module
like Layout Builder.

Solution: 
Install the latest version:

* If you use the entity_browser_block module for Drupal 8+, upgrade to
entity_browser_block 8.x-1.2 [3]

Reported By: 
* Dan Flanagan [4]

Fixed By: 
* Dan Flanagan [5]
* Samuel Mortenson [6]

Coordinated By: 
* Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/entity_browser_block
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_browser_block/releases/8.x-1.2
[4] https://www.drupal.org/user/3615359
[5] https://www.drupal.org/user/3615359
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044, security-news, 25.05.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang