[Security-news] AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

security-news at drupal.org security-news at drupal.org
Wed May 31 16:22:10 UTC 2023


View online: https://www.drupal.org/sa-contrib-2023-018

Project: AddToAny Share Buttons [1]
Date: 2023-May-31
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides social media share & follow buttons.

The module doesn't sufficiently check access to a node when retrieving the
label of an AddToAny block.

This vulnerability is mitigated by the fact it requires the node ID to be
passed via the route, requiring another module or specific configuration to
provide this ID, as the /node/{id} page doesn't provide this value on an
access denied.

Solution: 
Install the latest version:

   * If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10,
     upgrade to AddToAny 2.0.4 [3]
   * If you use the AddToAny Share Buttons module for Drupal versions before
     9.4, upgrade to AddToAny 8.x-1.21 [4]

Reported By: 
   * Mitch Portier [5]

Fixed By: 
   * Vladimir Roudakov [6]
   * micropat [7]
   * Mitch Portier [8]

Coordinated By: 
   * Damien McKenna [9] of the Drupal Security Team


[1] https://www.drupal.org/project/addtoany
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/addtoany/releases/2.0.4
[4] https://www.drupal.org/project/addtoany/releases/8.x-1.21
[5] https://www.drupal.org/user/2284182
[6] https://www.drupal.org/user/673120
[7] https://www.drupal.org/user/260224
[8] https://www.drupal.org/user/2284182
[9] https://www.drupal.org/user/108450



More information about the Security-news mailing list