it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004
- Date: Wed, 18 Jan 2023 18:54:02 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 01EE141768
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6ACFE41010
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 3A95A606FF
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6EB9860625
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-004
Project: Media Library Form API Element [1]
Version: 8.x-1.38.x-1.28.x-1.1
Date: 2023-January-18
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Information Disclosure
Affected versions: >=2.0 <2.0.6
Description:
This module enables you to use the media library in custom forms without the
Media Library Widget.
The module does not properly check entity access in some circumstances. This
may result in users with access to edit content seeing metadata about media
items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will
only be visible to users who can already edit content that includes a media
reference field.
Solution:
Install the latest version:
* If you use the Media Library Form API Element module versions 2.x for
Drupal 9 or 10, upgrade to 2.0.6 [3].
* If you use the Media Library Form API Element module version 8.x-1.* they
are all affected and are no longer supported. You should upgrade to 2.0.6
[4].
Reported By:
* Benji Fisher [5] of the Drupal Security Team
* Dan Flanagan [6]
Fixed By:
* Kim Kennof [7]
* Lauri Eskola [8]
* Alex Bronstein [9] of the Drupal Security Team
* Luke Leber [10]
* Lee Rowlands [11] of the Drupal Security Team
Coordinated By:
* xjm [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team
* Benji Fisher [14] of the Drupal Security Team
[1] https://www.drupal.org/project/media_library_form_element
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/media_library_form_element/releases/2.0.6
[4] https://www.drupal.org/project/media_library_form_element/releases/2.0.6
[5] https://www.drupal.org/user/683300
[6] https://www.drupal.org/user/3615359
[7] https://www.drupal.org/user/333515
[8] https://www.drupal.org/user/1078742
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/3509746
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/395439
[14] https://www.drupal.org/user/395439
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004, security-news, 18.01.2023
Archiv bereitgestellt durch MHonArc 2.6.24.