[Security-news] Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055
security-news at drupal.org
security-news at drupal.org
Wed Jul 10 16:51:30 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-055
Project: Custom Permissions [1]
Version: 8.x-1.x-dev
Date: 2019-July-10
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module enables you to add and manage additional custom permissions
through the administration UI.
The module doesn't sufficiently check for the proper access permissions to
this page.
This vulnerability is mitigated by the fact that an attacker must know the
route of the Custom Permissions administration form though this is easily
known.
Solution:
Install the latest version:
* If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to
Custom Permissions 8.x-1.2 [3]
Also see the Custom Permissions [4] project page.
Reported By:
* Mohammed Razem [5]
Fixed By:
* David Valdez [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/8.x-1.2
[4] https://www.drupal.org/project/config_perms
[5] https://www.drupal.org/user/255384
[6] https://www.drupal.org/user/992990
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list