View online: https://www.drupal.org/sa-contrib-2018-018
Project: Menu Import and Export [1] Version: 8.x-1.0 Date: 2018-April-18 Security risk: *Critical* 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon [2] Vulnerability: Access bypass
Description: This module helps in exporting and importing Menu Items via the administrative interface.
The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.
There is no mitigation for this vulnerability.
Solution: Update to Menu Import and Export 8.x-1.2 [3].
Reported By: * Nathan Dentzau [4]
Fixed By: * Sandeep Reddy [5]
Coordinated By: * Samuel Mortenson [6] of the Drupal Security Team * Michael Hess [7] of the Drupal Security Team
[1] https://www.drupal.org/project/menu_export [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/menu_export/releases/8.x-1.2 [4] https://www.drupal.org/u/nathandentzau [5] https://www.drupal.org/u/sandeepguntaka [6] https://www.drupal.org/u/samuelmortenson [7] https://www.drupal.org/u/mlhess