View online: https://www.drupal.org/sa-contrib-2024-020
Project: Email Contact [1] Date: 2024-May-22 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <2.0.4 Description: The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.
The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.
This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.
Solution: Install the latest version:
* If you use the 2.0.x branch, upgrade to email_contact 2.0.4 [3]. * If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4 [4], as the 8.x-1.x branch is now unsupported.
Reported By: * Claudiu Cristea [5]
Fixed By: * Claudiu Cristea [6] * Bálint Nagy [7] * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * xjm [10] of the Drupal Security Team
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team * Juraj Nemec [13] of the Drupal Security Team
[1] https://www.drupal.org/project/email_contact [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/email_contact/releases/2.0.4 [4] https://www.drupal.org/project/email_contact/releases/2.0.4 [5] https://www.drupal.org/user/56348 [6] https://www.drupal.org/user/56348 [7] https://www.drupal.org/user/1763952 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/272316 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/xjm [13] https://www.drupal.org/user/272316