View online: https://www.drupal.org/sa-contrib-2018-040

Project: Entity Delete [1] Date: 2018-June-06 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Multiple Vulnerabilities

Description:  This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

Solution:  Install the latest version:

* If you use the Entity Delete module for Drupal 8.x, upgrade to Entity Delete 8.x-1.4 [3]

Also see the Entity Delete [4] project page.

Reported By:  * Balazs Janos Tatar [5]Provisional Security Team Member

Fixed By:  * Balazs Janos Tatar [6]Provisional Security Team Member * A Ajay Kumar Reddy [7]

Coordinated By:  * Balazs Janos Tatar [8]Provisional Security Team Member

[1] https://www.drupal.org/project/entity_delete [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/2977685 [4] https://www.drupal.org/project/entity_delete [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/3261994 [8] https://www.drupal.org/user/649590