it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047
- Date: Wed, 27 Sep 2023 17:44:29 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 44F8083B96
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9ED9B83C3E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6A65980C40
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org AB9A180C3F
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-047
Project: Content Moderation Notifications [1]
Date: 2023-September-27
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:All [2]
Vulnerability: Information disclosure
Affected versions: >=3.0.0 <3.6.0
Description:
This module enables notifications to be sent to all users of a particular
role, or to the content's author when a piece of content is transitioned from
one state to another via core's content_moderation module.
The module doesn't sufficiently check access to content when sending
notifications.
This vulnerability is mitigated by the fact that an attacker must have been
assigned to receive notifications for the given content. Additionally, only
data sent in the email is visible, so the attacker cannot access the content
on the site.
Solution:
Install the latest version:
* If you use the Content Moderation Notifications module for Drupal 8.x,
upgrade to Content Moderation Notifications 8.x-3.6 [3].
Reported By:
* lucasantunes [4]
Fixed By:
* Jonathan Hedstrom [5]
* Luke Leber [6]
* Rob Holmes [7]
Coordinated By:
* Jess [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
[1] https://www.drupal.org/project/content_moderation_notifications
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/content_moderation_notifications/releases/8.x-3.6
[4] https://www.drupal.org/user/3603448
[5] https://www.drupal.org/user/208732
[6] https://www.drupal.org/user/3509746
[7] https://www.drupal.org/user/1774034
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/102818
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047, security-news, 27.09.2023
Archiv bereitgestellt durch MHonArc 2.6.24.