View online: https://www.drupal.org/sa-contrib-2019-060
Project: Existing Values Autocomplete Widget [1] Date: 2019-July-24 Security risk: *Critical* 17∕25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Description: This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.
The module doesn't sufficiently check for proper access permission before returning autocomplete results.
This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.
Solution: Install the latest version:
* If you use the Existing Values Autocomplete Widget module for Drupal 8.x, upgrade to Existing Values Autocomplete Widget 8.x-1.2 [3]
Also see the Existing Values Autocomplete Widget [4] project page.
Reported By: * David Stinemetze [5]
Fixed By: * Art Williams [6]
Coordinated By: * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/existing_values_autocomplete_widget [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3069768 [4] https://www.drupal.org/project/existing_values_autocomplete_widget [5] https://www.drupal.org/user/2508346 [6] https://www.drupal.org/user/77599 [7] https://www.drupal.org/user/102818 [8] https://www.drupal.org/user/36762