[Security-news] Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017
security-news at drupal.org
security-news at drupal.org
Wed May 6 17:25:43 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-017
Project: Webform [1]
Date: 2020-May-06
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
This module enables you to build forms and surveys in Drupal.
The Webform Node sub-module allows these forms to be associated with a Drupal
node. The Webform Node module does not implement access checking in the same
manner as other nodes and entities. As such, writers of custom modules which
implement webform_node, node, or entity access checks may not achieve the
intended access results for Webform Node content.
There is no known exploit of this vulnerability and the vulnerability only
exists on sites with custom code and a node access module in use.
Solution:
Install the latest version:
* If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
[3]
Also see the Webform [4] project page.
Reported By:
* Dan Chadwick [5]
Fixed By:
* Dan Chadwick [6]
* Jacob Rockowitz [7]
* Liam Morland [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/504278
[6] https://www.drupal.org/user/504278
[7] https://www.drupal.org/user/371407
[8] https://www.drupal.org/user/493050
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list