View online: https://www.drupal.org/sa-contrib-2023-003
Project: Media Library Block [1] Date: 2023-January-18 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure
Affected versions: >=1.0 <1.0.4 Description: The Media Library Block module allows you to render a media entity in a block.
The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.
Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.
Solution: Install the latest version:
* If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4 [3].
Reported By: * Lee Rowlands [4] of the Drupal Security Team * Dan Flanagan [5]
Fixed By: * ayalon [6] * xjm [7] of the Drupal Security Team * Jan Hug [8] * Dan Flanagan [9]
Coordinated By: * Dave Reid [10] of the Drupal Security Team * Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/media_library_block [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/media_library_block/releases/1.0.4 [4] https://www.drupal.org/user/395439 [5] https://www.drupal.org/user/3615359 [6] https://www.drupal.org/user/419226 [7] https://www.drupal.org/user/65776 [8] https://www.drupal.org/user/3652792 [9] https://www.drupal.org/user/3615359 [10] https://www.drupal.org/user/53892 [11] https://www.drupal.org/user/108450