it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
- Date: Wed, 25 Feb 2026 18:43:34 +0000 (UTC)
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/WHRROALX4DOQHRCJYODOX6MJX3NJWI7F/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=b3gZ0b2J; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=default header.b=ZRATneff; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9A22A41FC3
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B19FD60B4F
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-011
Project: Material Icons [1]
Date: 2026-February-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <2.0.4
CVE IDs: CVE-2026-3210
Description:
This module enables you to add icons to CKEditor.
The module doesn't sufficiently add custom permissions to the dialog and
autocomplete routes, allowing full access to the routes in most scenarios.
Solution:
Install the latest version and review permissions:
1) If you use the Material Icons module for Drupal, upgrade to Material
Icons 2.0.4 [3].
2) Assign the newly created "use material icons" permission to users who
should have access to the widgets.
Reported By:
* Jen M (jannakha) [4]
Fixed By:
* Bryan Sharpe (b_sharpe) [5]
* Jen M (jannakha) [6]
Coordinated By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Ra Mänd (ram4nd) [10], provisional member of the Drupal Security Team
* Jess (xjm) [11] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [12]
[1] https://www.drupal.org/project/material_icons
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/material_icons/releases/2.0.4
[4] https://www.drupal.org/u/jannakha
[5] https://www.drupal.org/u/b_sharpe
[6] https://www.drupal.org/u/jannakha
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/ram4nd
[11] https://www.drupal.org/u/xjm
[12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3575758
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011, security-news, 25.02.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.