View online: https://www.drupal.org/sa-contrib-2019-051
Project: TableField [1] Version: 7.x-3.x-dev7.x-2.x-dev Date: 2019-May-29 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass and Cross Site Scripting
Description: This module allows you to attach tabular data to an entity.
*Access bypass*
There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.
*XSS*
When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.
This vulnerability is mitigated by the fact that an attacker must have a role with Edit permissions.
Solution: Install the latest version:
* If you use a Tablefield module version 7.x-2.x, upgrade to tablefield 7.x-3.5 [3]. * If you use a Tablefield module version 7.x-3.x, upgrade to tablefield 7.x-2.8 [4].
Also see the TableField [5] project page.
Reported By: * Yonatan Offek [6]
Fixed By: * Yonatan Offek [7] * Jen Lampton [8] * Martin Postma [9]
Coordinated By: * Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/tablefield [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tablefield/releases/7.x-3.5 [4] https://www.drupal.org/project/tablefield/releases/7.x-2.8 [5] https://www.drupal.org/project/tablefield [6] https://www.drupal.org/user/194009 [7] https://www.drupal.org/user/194009 [8] https://www.drupal.org/user/85586 [9] https://www.drupal.org/user/210402 [10] https://www.drupal.org/user/36762