[Security-news] Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
security-news at drupal.org
security-news at drupal.org
Wed Mar 15 17:58:48 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-010
Project: Media Responsive Thumbnail [1]
Date: 2023-March-15
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure
Description:
The Media Responsive Thumbnail module allows media reference fields to be
rendered as a responsive image.
This module does not properly check entity access prior to rendering media.
This may result in users seeing thumbnails of media items they do not have
access to.
This release was coordinated with SA-CORE-2023-002 [3].
Solution:
Install the latest version:
* If you use the Media Responsive Thumbnail module, upgrade to Media
Responsive Thumbnail 8.x-1.5 [4]
Reported By:
* Dan Flanagan [5]
Fixed By:
* Ivan Vidusenko [6]
* Benji Fisher [7] of the Drupal Security Team
Coordinated By:
* Benji Fisher [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team
* Joseph Zhao [10] Provisional Member of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
* Dave Long [12] of the Drupal Security Team
[1] https://www.drupal.org/project/media_responsive_thumbnail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2023-002
[4]
https://www.drupal.org/project/media_responsive_thumbnail/releases/8.x-1.5
[5] https://www.drupal.org/user/3615359
[6] https://www.drupal.org/user/2989799
[7] https://www.drupal.org/user/683300
[8] https://www.drupal.org/user/683300
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/1987218
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/246492
More information about the Security-news
mailing list