View online: https://www.drupal.org/sa-contrib-2018-073
Project: Paragraphs [1] Version: 8.x-1.4 Date: 2018-October-31 Security risk: *Moderately critical* 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access Bypass
Description: The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users.
The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules.
Solution: Install the latest version:
* If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.5 [3]
Also see the Paragraphs [4] project page.
Reported By: * Sam Becker [5]
Fixed By: * Sam Becker [6] * Alex Pott [7] of the Drupal Security Team * Sascha Grossenbacher [8] * Alex Bronstein [9] of the Drupal Security Team * Mateu Aguiló Bosch [10] * Miro Dietiker [11]
Coordinated By: * Greg Knaddison [12] of the Drupal Security Team
[1] https://www.drupal.org/project/paragraphs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3010590 [4] https://www.drupal.org/project/paragraphs [5] https://www.drupal.org/user/1485048 [6] https://www.drupal.org/user/1485048 [7] https://www.drupal.org/user/157725 [8] https://www.drupal.org/user/214652 [9] https://www.drupal.org/user/78040 [10] https://www.drupal.org/user/550110 [11] https://www.drupal.org/user/227761 [12] https://www.drupal.org/u/greggles