View online: https://www.drupal.org/sa-contrib-2021-017

Project: Block Content Revision UI [1] Date: 2021-June-16 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass

Description:  This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Solution:  Install the latest version:

* If you use the Block Content Revision UI module for Drupal 8.x, upgrade to Block Content Revision UI 2.127.1 [3]

Reported By:  * Michael Strelan [4]

Fixed By:  * Michael Strelan [5]

Coordinated By:  * Greg Knaddison [6] of the Drupal Security Team * Lee Rowlands [7] of the Drupal Security Team * Drew Webber [8] of the Drupal Security Team

[1] https://www.drupal.org/project/block_content_revision_ui [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/block_content_revision_ui/releases/2.127.1 [4] https://www.drupal.org/user/314289 [5] https://www.drupal.org/user/314289 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/395439 [8] https://www.drupal.org/user/255969