[Security-news] Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
security-news at drupal.org
security-news at drupal.org
Wed Dec 4 17:21:31 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-068
Project: Pages Restriction Access [1]
Date: 2024-December-04
Security risk: *Critical* 15 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.0.3
Description:
Module to restrict access from anonymous and regular users to configured
pre-defined pages.
The module does not adequately handle protecting certain types of URLs.
Solution:
Install the latest version:
* If you use the Pages Restriction Access for Drupal 8.x or higher, upgrade
to Pages Restriction Access for Drupal 2.0.3 [3]
Reported By:
* Pierre Rudloff [4]
* Ivo Van Geertruyen [5] of the Drupal Security Team
Fixed By:
* renatog [6]
* Pierre Rudloff [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
* Damien McKenna [9] of the Drupal Security Team
* Juraj Nemec [10] of the Drupal Security Team
* Ivo Van Geertruyen [11] of the Drupal Security Team
[1] https://www.drupal.org/project/pages_restriction
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/pages_restriction/releases/2.0.3
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/383424
[6] https://www.drupal.org/user/3326031
[7] https://www.drupal.org/user/3611858
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/272316
[11] https://www.drupal.org/u/mrbaileys
More information about the Security-news
mailing list