[Security-news] TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-051

Project: TableField [1]
Version: 7.x-3.x-dev7.x-2.x-dev
Date: 2019-May-29
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass and Cross Site Scripting

Description: 
This module allows you to attach tabular data to an entity.

*Access bypass*

There's no access check for users with an "Export Tablefield Data as CSV".
They can export data from unpublished nodes or otherwise inaccessible
entities.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission 'Export Tablefield Data as CSV'.

*XSS*

When "Raw data (JSON or XML)" is used in the field's Display settings, it
doesn't sanitize JSON output before passing it on to be rendered.

This vulnerability is mitigated by the fact that an attacker must have a role
with Edit permissions.

Solution: 
Install the latest version:

   * If you use a Tablefield module version 7.x-2.x, upgrade to tablefield
     7.x-3.5 [3].
   * If you use a Tablefield module version 7.x-3.x, upgrade to tablefield
     7.x-2.8 [4].

Also see the TableField [5] project page.

Reported By: 
   * Yonatan Offek  [6]

Fixed By: 
   * Yonatan Offek  [7]
   * Jen Lampton  [8]
   * Martin Postma  [9]

Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/tablefield
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tablefield/releases/7.x-3.5
[4] https://www.drupal.org/project/tablefield/releases/7.x-2.8
[5] https://www.drupal.org/project/tablefield
[6] https://www.drupal.org/user/194009
[7] https://www.drupal.org/user/194009
[8] https://www.drupal.org/user/85586
[9] https://www.drupal.org/user/210402
[10] https://www.drupal.org/user/36762