[IT-SecNots] [Security-news] Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-023

Project: Image Sizes [1]
Date: 2024-May-29
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <3.0.2
Description: 
This module enables you to create responsive image styles that depend on the
parent element's width.

The module doesn't sufficiently check access to rendered images, resulting in
access bypass vulnerabilities in specific scenarios.

Solution: 
Install the latest version.

  * If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes
    3.0.2 [3]

Reported By: 
  * Dezső Biczó [4]

Fixed By: 
  * Dezső Biczó [5]
  * Pascal Crott [6]
  * Juraj Nemec [7] of the Drupal Security Team

Coordinated By: 
  * Juraj Nemec [8] of the Drupal Security Team
  * Neil Drumm [9] of the Drupal Security Team


[1] https://www.drupal.org/project/image_sizes
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/image_sizes/releases/3.0.2
[4] https://www.drupal.org/user/315522
[5] https://www.drupal.org/user/315522
[6] https://www.drupal.org/user/647364
[7] https://www.drupal.org/user/272316
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/3064

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news