[Security-news] AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018
security-news at drupal.org
security-news at drupal.org
Wed May 31 16:22:10 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-018
Project: AddToAny Share Buttons [1]
Date: 2023-May-31
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
This module provides social media share & follow buttons.
The module doesn't sufficiently check access to a node when retrieving the
label of an AddToAny block.
This vulnerability is mitigated by the fact it requires the node ID to be
passed via the route, requiring another module or specific configuration to
provide this ID, as the /node/{id} page doesn't provide this value on an
access denied.
Solution:
Install the latest version:
* If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10,
upgrade to AddToAny 2.0.4 [3]
* If you use the AddToAny Share Buttons module for Drupal versions before
9.4, upgrade to AddToAny 8.x-1.21 [4]
Reported By:
* Mitch Portier [5]
Fixed By:
* Vladimir Roudakov [6]
* micropat [7]
* Mitch Portier [8]
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team
[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/2.0.4
[4] https://www.drupal.org/project/addtoany/releases/8.x-1.21
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/673120
[7] https://www.drupal.org/user/260224
[8] https://www.drupal.org/user/2284182
[9] https://www.drupal.org/user/108450
More information about the Security-news
mailing list