[Security-news] Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073
security-news at drupal.org
security-news at drupal.org
Wed Oct 31 18:17:04 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-073
Project: Paragraphs [1]
Version: 8.x-1.4
Date: 2018-October-31
Security risk: *Moderately critical* 10∕25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access Bypass
Description:
The Paragraphs module allows Drupal Site Builders to make content
organization cleaner so that you can give more editing power to end-users.
The module doesn't sufficiently check access to create new paragraph entities
which can cause access bypass issues when used in combination with other
contributed modules.
Solution:
Install the latest version:
* If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs
8.x-1.5 [3]
Also see the Paragraphs [4] project page.
Reported By:
* Sam Becker [5]
Fixed By:
* Sam Becker [6]
* Alex Pott [7] of the Drupal Security Team
* Sascha Grossenbacher [8]
* Alex Bronstein [9] of the Drupal Security Team
* Mateu Aguiló Bosch [10]
* Miro Dietiker [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
[1] https://www.drupal.org/project/paragraphs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3010590
[4] https://www.drupal.org/project/paragraphs
[5] https://www.drupal.org/user/1485048
[6] https://www.drupal.org/user/1485048
[7] https://www.drupal.org/user/157725
[8] https://www.drupal.org/user/214652
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/550110
[11] https://www.drupal.org/user/227761
[12] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list