View online: https://www.drupal.org/sa-contrib-2022-044

Project: Entity Browser Block [1] Date: 2022-May-25 Security risk: *Moderately critical* 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Solution:  Install the latest version:

* If you use the entity_browser_block module for Drupal 8+, upgrade to entity_browser_block 8.x-1.2 [3]

Reported By:  * Dan Flanagan [4]

Fixed By:  * Dan Flanagan [5] * Samuel Mortenson [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team

[1] https://www.drupal.org/project/entity_browser_block [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entity_browser_block/releases/8.x-1.2 [4] https://www.drupal.org/user/3615359 [5] https://www.drupal.org/user/3615359 [6] https://www.drupal.org/user/2582268 [7] https://www.drupal.org/user/36762