[Security-news] Modal Page - Moderately critical - Access bypass - SA-CONTRIB-2019-094
security-news at drupal.org
security-news at drupal.org
Wed Dec 11 20:04:21 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-094
Project: Modal Page [1]
Version: 8.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0
Date: 2019-December-11
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This project enables administrators to create modal dialogs.
The routes used by the module lacked proper permissions, allowing untrusted
users to access, create and modify modal configurations.
Solution:
* If you use the Modal Page module 8.x-2.x, upgrade to 8.x-2.5 [3]
* Review user permissions after updating to ensure only trusted users have
access to manage modals.
Reported By:
* Will Mowlam [4]
Fixed By:
* Renato Gonçalves H [5]
* Thalles Ferreira [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
[1] https://www.drupal.org/project/modal_page
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/modal_page/releases/8.x-2.5
[4] https://www.drupal.org/user/232558
[5] https://www.drupal.org/user/3326031
[6] https://www.drupal.org/user/3589086
[7] https://www.drupal.org/u/damienmckenna
More information about the Security-news
mailing list