it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
- Date: Wed, 4 Mar 2026 17:58:00 +0000
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/RSBOF2ZOYZE6EDW2ZY3I7K4VKJTTTH6F/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=NMORkPjw; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=hX42LasB; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=A4F1kHHq; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 370964127C
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8189781E34
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 8189781E34
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-022
Project: AJAX Dashboard [1]
Date: 2026-March-04
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <3.1.0
CVE IDs: CVE-2026-3527
Description:
AJAX Dashboard: Entity Dashboards enables you to create configurable
dashboards attached to entities which include AJAX-reloading of a main
content area based on inputs from a configurable set of buttons.
The module doesn't sufficiently check access on the dashboard configuration
route. Unauthorized users could access the entity dashboard configuration
page and either enable or disable dashboards. The affected administration
page does not permit editing the configurations of the dashboards themselves.
The vulnerability is mitigated by the fact that the AJAX Dashboard Entity
Dashboard submodule must be enabled.
Solution:
Install the latest version of the AJAX Dashboard module, which includes the
update to AJAX Dashboard: Entity Dashboards:
* If you use the AJAX Dashboard module, upgrade to AJAX Dashboard 3.1.0 [3]
Reported By:
* Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By:
* Michael Nolan (laboratory.mike) [5]
Coordinated By:
* Bram Driesen (bramdriesen) [6] provisional member of the Drupal Security
Team
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/ajax_dashboard
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3576913
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/laboratorymike
[6] https://www.drupal.org/u/bramdriesen
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3577061
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022, security-news, 04.03.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.