View online: https://www.drupal.org/sa-contrib-2023-003 Project: Media Library Block [1] Date: 2023-January-18 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Affected versions: >=1.0 <1.0.4 Description:  The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page. Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions. Solution:  Install the latest version: * If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4 [3]. Reported By:  * Lee Rowlands [4] of the Drupal Security Team * Dan Flanagan [5] Fixed By:  * ayalon [6] * xjm [7] of the Drupal Security Team * Jan Hug [8] * Dan Flanagan [9] Coordinated By:  * Dave Reid [10] of the Drupal Security Team * Damien McKenna [11] of the Drupal Security Team [1] https://www.drupal.org/project/media_library_block [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/media_library_block/releases/1.0.4 [4] https://www.drupal.org/user/395439 [5] https://www.drupal.org/user/3615359 [6] https://www.drupal.org/user/419226 [7] https://www.drupal.org/user/65776 [8] https://www.drupal.org/user/3652792 [9] https://www.drupal.org/user/3615359 [10] https://www.drupal.org/user/53892 [11] https://www.drupal.org/user/108450