View online: https://www.drupal.org/sa-contrib-2023-040
Project: Data field [1] Version: 1.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.61.0.51.0.41.0.31.0.21.0.11.0.0 Date: 2023-August-23 Security risk: *Moderately critical* 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: <1.0.16 Description: The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.
Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.
Solution: Install the latest version:
* If you use the Data Field module for Drupal 1.x, upgrade to Data Field 1.0.16 [3]
Reported By: * Mitch Portier [4]
Fixed By: * Mitch Portier [5] * Damien McKenna [6] of the Drupal Security Team * NGUYEN Bao [7] * Joseph Olstad [8]
Coordinated By: * Damien McKenna [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team * Neil Drumm [11] of the Drupal Security Team * Stella Power [12] of the Drupal Security Team
[1] https://www.drupal.org/project/datafield [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/datafield/releases/1.0.16 [4] https://www.drupal.org/user/2284182 [5] https://www.drupal.org/user/2284182 [6] https://www.drupal.org/user/108450 [7] https://www.drupal.org/user/2896581 [8] https://www.drupal.org/user/1321830 [9] https://www.drupal.org/user/108450 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/user/3064 [12] https://www.drupal.org/user/66894