[Security-news] Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-020

Project: Email Contact [1]
Date: 2024-May-22
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <2.0.4
Description: 
The Email Contact module provides email field display formatters that can
display the field as a link to the contact form, or as an inline contact
form.

The module does not sufficiently handle restricted entity or field access to
the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email
contact link" formatter to be used.

Solution: 
Install the latest version:

   * If you use the 2.0.x branch, upgrade to email_contact 2.0.4 [3].
   * If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4 [4], as the
     8.x-1.x branch is now unsupported.

Reported By: 
   * Claudiu Cristea [5]

Fixed By: 
   * Claudiu Cristea [6]
   * Bálint Nagy [7]
   * Greg Knaddison [8] of the Drupal Security Team
   * Juraj Nemec [9] of the Drupal Security Team
   * xjm [10] of the Drupal Security Team

Coordinated By: 
   * Greg Knaddison [11] of the Drupal Security Team
   * xjm [12] of the Drupal Security Team
   * Juraj Nemec [13] of the Drupal Security Team


[1] https://www.drupal.org/project/email_contact
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/email_contact/releases/2.0.4
[4] https://www.drupal.org/project/email_contact/releases/2.0.4
[5] https://www.drupal.org/user/56348
[6] https://www.drupal.org/user/56348
[7] https://www.drupal.org/user/1763952
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/272316
[10] https://www.drupal.org/user/65776
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/xjm
[13] https://www.drupal.org/user/272316