[Security-news] Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023
security-news at drupal.org
security-news at drupal.org
Wed May 29 20:16:44 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-023
Project: Image Sizes [1]
Date: 2024-May-29
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <3.0.2
Description:
This module enables you to create responsive image styles that depend on the
parent element's width.
The module doesn't sufficiently check access to rendered images, resulting in
access bypass vulnerabilities in specific scenarios.
Solution:
Install the latest version.
* If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes
3.0.2 [3]
Reported By:
* Dezső Biczó [4]
Fixed By:
* Dezső Biczó [5]
* Pascal Crott [6]
* Juraj Nemec [7] of the Drupal Security Team
Coordinated By:
* Juraj Nemec [8] of the Drupal Security Team
* Neil Drumm [9] of the Drupal Security Team
[1] https://www.drupal.org/project/image_sizes
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/image_sizes/releases/3.0.2
[4] https://www.drupal.org/user/315522
[5] https://www.drupal.org/user/315522
[6] https://www.drupal.org/user/647364
[7] https://www.drupal.org/user/272316
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/3064
More information about the Security-news
mailing list