[IT-SecNots] [Security-news] Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-058

Project: Twig Field Value [1]
Date: 2022-October-12
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables themers to get partial data from field render arrays. It
gives them more control over the output without drilling deep into the render
array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the
filters field_label, field_value, field_raw and field_target_entity.

This vulnerability is mitigated by the fact that these filters must be used
in combination with either unpublished content or access control modules.

Solution: 
Install the latest version:

  * If you use the Twig Field Value module version 8.x-1.x or 2.0.x, upgrade
    to Twig Field Value 2.0.1 [3]

Reported By: 
  * Erik Stielstra [4]

Fixed By: 
  * Erik Stielstra [5]

Coordinated By: 
  * Damien McKenna [6] of the Drupal Security Team
  * Greg Knaddison [7] of the Drupal Security Team
  * Ivo Van Geertruyen [8] of the Drupal Security Team


[1] https://www.drupal.org/project/twig_field_value
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/twig_field_value/releases/2.0.1
[4] https://www.drupal.org/user/73854
[5] https://www.drupal.org/user/73854
[6] https://www.drupal.org/user/108450
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/383424

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news