Webform - Critical - Access bypass - SA-CONTRIB-2020-016 - Security-news

6 May 2020


      View online: https://www.drupal.org/sa-contrib-2020-016
Project: Webform [1]
Date: 2020-May-06
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description: 
This webform module enables you to build 'Term select' and 'Term checkboxes'
elements.
The module doesn't sufficiently check term 'view' access when rendering the
'Term select' and 'Term checkboxes' elements.  Unpublished terms will always
appear in the 'Term select' and 'Term checkboxes' elements.
Solution: 
Install the latest version:
* If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
     [3]
Also see the Webform [4] project page.
Reported By: 
   * James Gilliland  [5] of the Drupal Security Team
Fixed By: 
   * Jacob Rockowitz  [6]
Coordinated By: 
   * Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/48673
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/36762