it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
- Date: Wed, 15 Mar 2023 17:58:48 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8EA584196E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 57519429B3
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A6F32813B7
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org ECBDD813A6
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-010
Project: Media Responsive Thumbnail [1]
Date: 2023-March-15
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure
Description:
The Media Responsive Thumbnail module allows media reference fields to be
rendered as a responsive image.
This module does not properly check entity access prior to rendering media.
This may result in users seeing thumbnails of media items they do not have
access to.
This release was coordinated with SA-CORE-2023-002 [3].
Solution:
Install the latest version:
* If you use the Media Responsive Thumbnail module, upgrade to Media
Responsive Thumbnail 8.x-1.5 [4]
Reported By:
* Dan Flanagan [5]
Fixed By:
* Ivan Vidusenko [6]
* Benji Fisher [7] of the Drupal Security Team
Coordinated By:
* Benji Fisher [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team
* Joseph Zhao [10] Provisional Member of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
* Dave Long [12] of the Drupal Security Team
[1] https://www.drupal.org/project/media_responsive_thumbnail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2023-002
[4]
https://www.drupal.org/project/media_responsive_thumbnail/releases/8.x-1.5
[5] https://www.drupal.org/user/3615359
[6] https://www.drupal.org/user/2989799
[7] https://www.drupal.org/user/683300
[8] https://www.drupal.org/user/683300
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/1987218
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/246492
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010, security-news, 15.03.2023
Archiv bereitgestellt durch MHonArc 2.6.24.