[Security-news] Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040
security-news at drupal.org
security-news at drupal.org
Wed Jun 6 16:28:51 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-040
Project: Entity Delete [1]
Date: 2018-June-06
Security risk: *Critical* 18∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Multiple Vulnerabilities
Description:
This module enables you to delete any types of entities in bulk.
The module doesn't sufficiently verify access permissions under its use
cases, leading to access bypass. The module also does not protect against
Cross Site Request Forgeries on its delete process.
The access bypass vulnerability is mitigated by the fact that an attacker
must have a role with the permission "access content". There is no additional
mitigation for the Cross Site Request Forgery vulnerability.
Solution:
Install the latest version:
* If you use the Entity Delete module for Drupal 8.x, upgrade to Entity
Delete 8.x-1.4 [3]
Also see the Entity Delete [4] project page.
Reported By:
* Balazs Janos Tatar [5]Provisional Security Team Member
Fixed By:
* Balazs Janos Tatar [6]Provisional Security Team Member
* A Ajay Kumar Reddy [7]
Coordinated By:
* Balazs Janos Tatar [8]Provisional Security Team Member
[1] https://www.drupal.org/project/entity_delete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2977685
[4] https://www.drupal.org/project/entity_delete
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/3261994
[8] https://www.drupal.org/user/649590
More information about the Security-news
mailing list