[IT-SecNots] [Security-news] AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2023-018

Project: AddToAny Share Buttons [1]
Date: 2023-May-31
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides social media share & follow buttons.

The module doesn't sufficiently check access to a node when retrieving the
label of an AddToAny block.

This vulnerability is mitigated by the fact it requires the node ID to be
passed via the route, requiring another module or specific configuration to
provide this ID, as the /node/{id} page doesn't provide this value on an
access denied.

Solution: 
Install the latest version:

  * If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10,
    upgrade to AddToAny 2.0.4 [3]
  * If you use the AddToAny Share Buttons module for Drupal versions before
    9.4, upgrade to AddToAny 8.x-1.21 [4]

Reported By: 
  * Mitch Portier [5]

Fixed By: 
  * Vladimir Roudakov [6]
  * micropat [7]
  * Mitch Portier [8]

Coordinated By: 
  * Damien McKenna [9] of the Drupal Security Team


[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/2.0.4
[4] https://www.drupal.org/project/addtoany/releases/8.x-1.21
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/673120
[7] https://www.drupal.org/user/260224
[8] https://www.drupal.org/user/2284182
[9] https://www.drupal.org/user/108450

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news