Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] WissKI - Critical - Access bypass - SA-CONTRIB-2026-059

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] WissKI - Critical - Access bypass - SA-CONTRIB-2026-059


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
  • Date: Wed, 24 Jun 2026 18:40:58 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=eHK+cAGI; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=JmoTLjaV; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=DAxW27CO; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9208284565
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B89F040B4B
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org B89F040B4B
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-059

Project: WissKI [1]
Date: 2026-June-24
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <4.2.0
CVE IDs: CVE-2026-13239
Description: 
The module adds support for the mirador viewer in WissKI and enables
annotations on images via the mirador viewer.

It does not sufficiently check the submitted parameters via a route and
writes these to the session object without further checks, which can lead to
Access Bypass.

This vulnerability is mitigated by the fact that it is specific to the
wisski_mirador submodule.

Solution: 
Install the latest version:

* If you use the WissKI module version 8.x-4.1, upgrade to WissKI 8.x-4.2
[3]

Reported By: 
* Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By: 
* knurg [5]

Coordinated By: 
* cilefen (cilefen) [6] of the Drupal Security Team
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185226-wisski-security/-/work_items/1
[10]
------------------------------------------------------------------------------
Contribution record [11]

[1] https://www.drupal.org/project/wisski
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wisski/releases/8.x-4.2
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/knurg
[6] https://www.drupal.org/u/cilefen
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/poker10
[10] https://git.drupalcode.org/security/185226-wisski-security/-/work_items/1
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3596054

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] WissKI - Critical - Access bypass - SA-CONTRIB-2026-059, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang