View online: https://www.drupal.org/sa-contrib-2019-055

Project: Custom Permissions [1] Version: 8.x-1.x-dev Date: 2019-July-10 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  This module enables you to add and manage additional custom permissions through the administration UI.

The module doesn't sufficiently check for the proper access permissions to this page.

This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.

Solution:  Install the latest version:

* If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to Custom Permissions 8.x-1.2 [3]

Also see the Custom Permissions [4] project page.

Reported By:  * Mohammed Razem [5]

Fixed By:  * David Valdez [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team

[1] https://www.drupal.org/project/config_perms [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/config_perms/releases/8.x-1.2 [4] https://www.drupal.org/project/config_perms [5] https://www.drupal.org/user/255384 [6] https://www.drupal.org/user/992990 [7] https://www.drupal.org/user/36762