Biztonsági figyelmeztetések (contrib)

Project: Paragraphs tableDate: 2024-September-04Security risk: Critical 15∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.23.0 || >=2.0.0 <2.0.2Description: 

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).

This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.

Information disclosure

Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.

Access bypass

The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.

Solution: 

Install the latest version:

• If you use the paragraphs_table module 8.x-1.x, upgrade to paragraphs_table 8.x-1.23
• If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table 2.0.2 or newer

Reported By: 

• James Williams

Fixed By: 

• James Williams
• NGUYEN Bao
• Steven Jones
• Joseph Olstad

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Jess of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Content Entity CloneDate: 2024-September-04Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: <1.0.4Description: 

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.

The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.

This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.

Solution: 

Install the latest version:

• If you use the content_entity_clone module prior to version 1.0.4, upgrade to content_entity_clone 1.0.4

Reported By: 

• Vojislav Jovanovic

Fixed By: 

• orakili
• Vojislav Jovanovic

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: FreelinkingDate: 2024-September-04Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <4.0.1Description: 

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.

The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.

Solution: 

Install the latest version:

• If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
• If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported

Reported By: 

• Matthew Radcliffe

Fixed By: 

• Matthew Radcliffe
• Gisle Hannemyr

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team