View online: https://www.drupal.org/sa-contrib-2021-007
Project: Gutenberg [1] Version: 8.x-2.x-dev8.x-1.x-dev Date: 2021-May-12 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting
Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.
Solution: Install the latest version:
* If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12 [3] * If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0 [4] * For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks.
Reported By: * Stephan Zeidler [5] * Mariusz Andrzejewski [6]
Fixed By: * Stephan Zeidler [7] * codebymikey [8] * Marco Fernandes [9]
Coordinated By: * Damien McKenna [10] of the Drupal Security Team
[1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-1.12 [4] https://www.drupal.org/project/gutenberg/releases/8.x-2.0 [5] https://www.drupal.org/user/767652 [6] https://www.drupal.org/user/3517832 [7] https://www.drupal.org/user/767652 [8] https://www.drupal.org/user/3573206 [9] https://www.drupal.org/user/2127558 [10] https://www.drupal.org/u/damienmckenna