View online: https://www.drupal.org/sa-contrib-2018-017

Project: Exif [1] Version: 8.x-1.x-dev Date: 2018-March-21 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  This module enables you to retrieve image metadata and use them in fields or title.

The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Solution:  Install the latest version:

* If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1 [3]

Reported By:  * Jean-Francois Hovinne [4]

Fixed By:  * jphautin [5] * Jean-Francois Hovinne [6]

Coordinated By:  * Damien McKenna [7]

[1] https://www.drupal.org/project/exif [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/exif/releases/8.x-1.1 [4] https://www.drupal.org/user/77723 [5] https://www.drupal.org/user/534338 [6] https://www.drupal.org/user/77723 [7] https://www.drupal.org/user/108450