[Security-news] Webform - Critical - Access bypass - SA-CONTRIB-2020-016
security-news at drupal.org
security-news at drupal.org
Wed May 6 17:25:36 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-016
Project: Webform [1]
Date: 2020-May-06
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This webform module enables you to build 'Term select' and 'Term checkboxes'
elements.
The module doesn't sufficiently check term 'view' access when rendering the
'Term select' and 'Term checkboxes' elements. Unpublished terms will always
appear in the 'Term select' and 'Term checkboxes' elements.
Solution:
Install the latest version:
* If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
[3]
Also see the Webform [4] project page.
Reported By:
* James Gilliland [5] of the Drupal Security Team
Fixed By:
* Jacob Rockowitz [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/48673
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list