Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017

Bitte warten ...

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017
  • Date: Wed, 24 Apr 2024 16:22:02 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8C43741839
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 27C4882131
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2024-017

Project: Advanced PWA [1]
Date: 2024-April-24
Security risk: *Critical* 16∕25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <1.5.0
Description: 
Progressive web applications are web applications that load like regular web
pages or websites but can offer the user functionality such as working
offline, push notifications, and device hardware access traditionally
available only to native applications.

This module doesn't sufficiently protect access to the settings form,
allowing an unauthorized malicious user to view and modify the module
settings.

Solution: 
Install the latest version:

* If you use the Advanced Progressive Web App module for Drupal 8.x, upgrade
to Advanced Progressive Web App 8.x-1.5 [3]

Reported By: 
* Matthew Grasmick [4]

Fixed By: 
* gMaximus [5]

Coordinated By: 
* Greg Knaddison [6] of the Drupal Security Team
* Michael Hess [7] of the Drupal Security Team
* cilefen [8] of the Drupal Security Team
* Cathy Theys [9] of the Drupal Security Team


[1] https://www.drupal.org/project/advanced_pwa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/advanced_pwa/releases/8.x-1.5
[4] https://www.drupal.org/user/455714
[5] https://www.drupal.org/user/1612496
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/102818
[8] https://www.drupal.org/user/1850070
[9] https://www.drupal.org/user/258568

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017, security-news, 24.04.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang