[Security-news] Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025
security-news at drupal.org
security-news at drupal.org
Wed Feb 16 17:33:44 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-025
Project: Quick Edit [1]
Date: 2022-February-16
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This advisory addresses a similar issue to Drupal core - Moderately critical
- Information disclosure - SA-CORE-2022-004 [3].
The Quick Edit module does not properly check entity access in some
circumstances. This could result in users with the "access in-place editing"
permission viewing some content they are are not authorized to access.
Solution:
Install the latest version:
* If you use the Quick Edit module for Drupal 9.x, upgrade to Quick Edit
1.0.1 [4]
Reported By:
* Samuel Mortenson [5]
Fixed By:
* Théodore Biadala [6]
* xjm [7] of the Drupal Security Team
* Alex Bronstein [8] of the Drupal Security Team
* Adam G-H [9]
* Drew Webber [10] of the Drupal Security Team
* Wim Leers [11]
* Ted Bowman [12]
* Dave Long [13]
* Derek Wright [14]
* Lee Rowlands [15] of the Drupal Security Team
* Samuel Mortenson [16]
* Joseph Zhao [17]
[1] https://www.drupal.org/project/quickedit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2022-004
[4] https://www.drupal.org/project/quickedit/releases/1.0.1
[5] https://www.drupal.org/user/2582268
[6] https://www.drupal.org/user/598310
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/78040
[9] https://www.drupal.org/user/205645
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/99777
[12] https://www.drupal.org/user/240860
[13] https://www.drupal.org/user/246492
[14] https://www.drupal.org/user/46549
[15] https://www.drupal.org/user/395439
[16] https://www.drupal.org/user/2582268
[17] https://www.drupal.org/user/1987218
More information about the Security-news
mailing list