[Security-news] SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass
security-news at drupal.org
security-news at drupal.org
Wed Nov 12 19:46:06 UTC 2014
View online: https://www.drupal.org/node/2373973
* Advisory ID: DRUPAL-SA-CONTRIB-2014-108
* Project: Webform Component Roles [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-November-12
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Webform component module enables site admins to limit visibility or
editability of webform components based on user roles.
The module doesn't sufficiently check that disabled component values are not
modified upon submission of the form.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform Component Roles 6.x-1.x versions prior to 6.x-1.8.
* Webform Component Roles 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Webform
Component Roles [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform Component Roles module for Drupal 6.x, upgrade to
Webform Component Roles 6.x-1.8 [5]
* If you use the Webform Component Roles module for Drupal 7.x, upgrade to
Webform Component Roles 7.x-1.8 [6]
Also see the Webform Component Roles [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Colleen Blaho [8]
-------- FIXED BY
------------------------------------------------------------
* Shawn Sheridan [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* David Rothstein [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/webform_component_roles
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform_component_roles
[5] https://www.drupal.org/node/2373471
[6] https://www.drupal.org/node/2373473
[7] https://www.drupal.org/project/webform_component_roles
[8] https://www.drupal.org/user/3042419
[9] https://www.drupal.org/user/138669
[10] https://www.drupal.org/user/124982
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list