[Security-news] Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
security-news at drupal.org
security-news at drupal.org
Wed May 25 17:39:18 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-044
Project: Entity Browser Block [1]
Date: 2022-May-25
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
Entity Browser Block provides a Block Plugin for every Entity Browser on your
site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to
place a block - either through the core "Block Layout" page or via a module
like Layout Builder.
Solution:
Install the latest version:
* If you use the entity_browser_block module for Drupal 8+, upgrade to
entity_browser_block 8.x-1.2 [3]
Reported By:
* Dan Flanagan [4]
Fixed By:
* Dan Flanagan [5]
* Samuel Mortenson [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/entity_browser_block
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_browser_block/releases/8.x-1.2
[4] https://www.drupal.org/user/3615359
[5] https://www.drupal.org/user/3615359
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list