[IT-SecNots] [Security-news] Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2023-037

Project: Config Pages [1]
Version: 8.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0
Date: 2023-August-23
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure

Affected versions: <2.9.0
Description: 
This module enables you to build administrative pages for managing
configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is
also installed.

This vulnerability is mitigated by the fact that it only affects sites when
the JSONAPI module is installed.

Solution: 
Install the latest version:

  * If you use the Config Pages module for Drupal 8+, upgrade to Config Pages
    8.x-2.9 [3]

Reported By: 
  * Nate Andersen [4]

Fixed By: 
  * Nate Andersen [5]
  * Alexander Shumenko [6]

Coordinated By: 
  * Damien McKenna [7] of the Drupal Security Team
  * Michael Hess [8] of the Drupal Security Team


[1] https://www.drupal.org/project/config_pages
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_pages/releases/8.x-2.9
[4] https://www.drupal.org/user/471638
[5] https://www.drupal.org/user/471638
[6] https://www.drupal.org/user/2297432
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news