[Security-news] Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060
security-news at drupal.org
security-news at drupal.org
Wed Jul 24 19:20:13 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-060
Project: Existing Values Autocomplete Widget [1]
Date: 2019-July-24
Security risk: *Critical* 17∕25
AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module provides an autocomplete widget for text fields that suggests all
existing (previously entered) values for that field.
The module doesn't sufficiently check for proper access permission before
returning autocomplete results.
This vulnerability is mitigated by the fact that an attacker must know the
route to the autocomplete callback controller though this is easily known.
Solution:
Install the latest version:
* If you use the Existing Values Autocomplete Widget module for Drupal 8.x,
upgrade to Existing Values Autocomplete Widget 8.x-1.2 [3]
Also see the Existing Values Autocomplete Widget [4] project page.
Reported By:
* David Stinemetze [5]
Fixed By:
* Art Williams [6]
Coordinated By:
* Michael Hess [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/existing_values_autocomplete_widget
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3069768
[4] https://www.drupal.org/project/existing_values_autocomplete_widget
[5] https://www.drupal.org/user/2508346
[6] https://www.drupal.org/user/77599
[7] https://www.drupal.org/user/102818
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list