[IT-SecNots] [Security-news] Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-007

Project: Entity Delete Log [1]
Date: 2024-January-31
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <1.1.1
Description: 
The Entity Delete Log module tracks the deletion of configured entity types,
such as node or comments.

It does not add sufficient permission to the log report page, allowing an
attacker to view information from deleted entities.

Solution: 
Install the latest version:

  * If you use the Entity Delete Log module for Drupal 9.x/10.x, upgrade to
    Entity Delete Log 1.1.1 [3]

Note: This release updates the default permissions for the entity_delete_log
view. After the update, you may want to review that permission if you already
changed it from the default.

Reported By: 
  * Ryan Szrama [4]

Fixed By: 
  * Malay Nayak [5]
  * Virendra Singh [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Heine [8] of the Drupal Security Team
  * Benji Fisher [9] of the Drupal Security Team


[1] https://www.drupal.org/project/entity_delete_log
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_delete_log/releases/1.1.1
[4] https://www.drupal.org/user/49344
[5] https://www.drupal.org/user/3529755
[6] https://www.drupal.org/user/3652392
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/17943
[9] https://www.drupal.org/user/683300

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news