View online: https://www.drupal.org/sa-contrib-2019-094

Project: Modal Page [1] Version: 8.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0 Date: 2019-December-11 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Description:  This project enables administrators to create modal dialogs.

The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations.

Solution:  * If you use the Modal Page module 8.x-2.x, upgrade to 8.x-2.5 [3] * Review user permissions after updating to ensure only trusted users have access to manage modals.

Reported By:  * Will Mowlam [4]

Fixed By:  * Renato Gonçalves H [5] * Thalles Ferreira [6]

Coordinated By:  * Damien McKenna [7] of the Drupal Security Team

[1] https://www.drupal.org/project/modal_page [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/modal_page/releases/8.x-2.5 [4] https://www.drupal.org/user/232558 [5] https://www.drupal.org/user/3326031 [6] https://www.drupal.org/user/3589086 [7] https://www.drupal.org/u/damienmckenna