View online: https://www.drupal.org/sa-contrib-2019-031
Project: Drupal voor Gemeenten [1] Date: 2019-March-06 Security risk: *Moderately critical* 13∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access Bypass
Description: The DvG distrubition contains the feature module dvg_domains to support multiple domains.
When the dvg_domains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages.
This issue can be mitigated by disabling the dvg_domains module.
Solution: Install the latest version:
* If you use the module dvg_domains from the DvG distribution upgrade to DvG 7.x-1.9 [3]
Reported By: * Bernard Skibinski [4]
Fixed By: * paulvandenburg [5]
Coordinated By: * Greg Knaddison [6] of the Drupal Security Team
[1] https://www.drupal.org/project/dvg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/dvg/releases/7.x-1.9 [4] https://www.drupal.org/user/807452 [5] https://www.drupal.org/user/3304805 [6] https://www.drupal.org/u/greggles