[Security-news] Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021
security-news at drupal.org
security-news at drupal.org
Wed Jun 30 17:06:13 UTC 2021
View online: https://www.drupal.org/sa-contrib-2021-021
Project: Linky Revision UI [1]
Date: 2021-June-30
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
This module provides a revision UI for Linky entities.
The module doesn't sufficiently respect access restrictions to certain
entities when used in conjunction with specific modules.
This vulnerability is mitigated by the fact that an attacker must have a role
with any of the permissions provided by Linky Revision UI, and another
affected module must be enabled.
Solution:
Install the latest version:
* If you use the Linky Revision UI module for Drupal 8.x, upgrade to Linky
Revision UI 2.127.2 [3]
Reported By:
* Adam [4]
Fixed By:
* Adam [5]
* Michael Strelan [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Damien McKenna [8] of the Drupal Security Team
[1] https://www.drupal.org/project/linky_revision_ui
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/linky_revision_ui/releases/2.127.2
[4] https://www.drupal.org/user/1036766
[5] https://www.drupal.org/user/1036766
[6] https://www.drupal.org/user/314289
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
More information about the Security-news
mailing list