[Security-news] Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037
security-news at drupal.org
security-news at drupal.org
Wed Aug 23 18:29:49 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-037
Project: Config Pages [1]
Version: 8.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0
Date: 2023-August-23
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure
Affected versions: <2.9.0
Description:
This module enables you to build administrative pages for managing
configuration objects, which may then be used elsewhere in the site.
The module doesn't sufficiently validate access when the JSONAPI module is
also installed.
This vulnerability is mitigated by the fact that it only affects sites when
the JSONAPI module is installed.
Solution:
Install the latest version:
* If you use the Config Pages module for Drupal 8+, upgrade to Config Pages
8.x-2.9 [3]
Reported By:
* Nate Andersen [4]
Fixed By:
* Nate Andersen [5]
* Alexander Shumenko [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/config_pages
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_pages/releases/8.x-2.9
[4] https://www.drupal.org/user/471638
[5] https://www.drupal.org/user/471638
[6] https://www.drupal.org/user/2297432
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/102818
More information about the Security-news
mailing list