[Security-news] Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

security-news at drupal.org security-news at drupal.org
Wed Aug 23 18:21:54 UTC 2023 

View online: https://www.drupal.org/sa-contrib-2023-036

Project: Flexi Access [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution

Description: 
The Flexi Access module will provide a simple and flexible interface to the
ACL (Access Control List) module. It will let you set up and mange ACLs
naming individual users that are allowed access to a particular node.

The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that known exploit paths require
an attacker to have a combination of permissions provided by the module; for
example "access flexiaccess" and "flexiaccess view". See
_flexiaccess_node_access() for details. The "administer flexiaccess"
permission alone does not grant access to the vulnerable functionality.

This Security Advisory is being released in coordination with
SA-CONTRIB-2023-034 [3] for the ACL module, on which Flexi Access depends.

Solution: 
Install the latest version:

   * If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi 
Access
     7.x-1.3 [4].
     The ACL module (a dependency) must also be updated.

Reported By: 
   * Drew Webber [5] of the Drupal Security Team

Fixed By: 
   * Drew Webber [6] of the Drupal Security Team
   * Gisle Hannemyr [7]

Coordinated By: 
   * Drew Webber [8] of the Drupal Security Team
   * Cathy Theys [9] of the Drupal Security Team
   * Damien McKenna [10] of the Drupal Security Team


[1] https://www.drupal.org/project/flexiaccess
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-contrib-2023-034
[4] https://www.drupal.org/project/flexiaccess/releases/7.x-1.3
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/409554
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/258568
[10] https://www.drupal.org/user/108450

More information about the Security-news mailing list