Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
  • Date: Wed, 22 May 2024 17:05:41 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org AD86260BB8
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org EFF23406A9
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-020

Project: Email Contact [1]
Date: 2024-May-22
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <2.0.4
Description: 
The Email Contact module provides email field display formatters that can
display the field as a link to the contact form, or as an inline contact
form.

The module does not sufficiently handle restricted entity or field access to
the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email
contact link" formatter to be used.

Solution: 
Install the latest version:

* If you use the 2.0.x branch, upgrade to email_contact 2.0.4 [3].
* If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4 [4], as the
8.x-1.x branch is now unsupported.

Reported By: 
* Claudiu Cristea [5]

Fixed By: 
* Claudiu Cristea [6]
* Bálint Nagy [7]
* Greg Knaddison [8] of the Drupal Security Team
* Juraj Nemec [9] of the Drupal Security Team
* xjm [10] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [11] of the Drupal Security Team
* xjm [12] of the Drupal Security Team
* Juraj Nemec [13] of the Drupal Security Team


[1] https://www.drupal.org/project/email_contact
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/email_contact/releases/2.0.4
[4] https://www.drupal.org/project/email_contact/releases/2.0.4
[5] https://www.drupal.org/user/56348
[6] https://www.drupal.org/user/56348
[7] https://www.drupal.org/user/1763952
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/272316
[10] https://www.drupal.org/user/65776
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/xjm
[13] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020, security-news, 22.05.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang