View online: https://www.drupal.org/sa-contrib-2023-036
Project: Flexi Access [1] Date: 2023-August-23 Security risk: *Critical* 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution
Description: The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that known exploit paths require an attacker to have a combination of permissions provided by the module; for example "access flexiaccess" and "flexiaccess view". See _flexiaccess_node_access() for details. The "administer flexiaccess" permission alone does not grant access to the vulnerable functionality.
This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 [3] for the ACL module, on which Flexi Access depends.
Solution: Install the latest version:
* If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi Access 7.x-1.3 [4]. The ACL module (a dependency) must also be updated.
Reported By: * Drew Webber [5] of the Drupal Security Team
Fixed By: * Drew Webber [6] of the Drupal Security Team * Gisle Hannemyr [7]
Coordinated By: * Drew Webber [8] of the Drupal Security Team * Cathy Theys [9] of the Drupal Security Team * Damien McKenna [10] of the Drupal Security Team
[1] https://www.drupal.org/project/flexiaccess [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-contrib-2023-034 [4] https://www.drupal.org/project/flexiaccess/releases/7.x-1.3 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/409554 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/258568 [10] https://www.drupal.org/user/108450