Nivo Slider - Less Critical - Access bypass - BACKDROP-SA-CONTRIB-2024-004
Nivo Slider does not check permissions properly, allowing anonymous site visitors access to admin pages where they can change the module settings.
The reason is in the function nivo_slider_menu() where the property 'access callback' is set to TRUE (for 3 admin paths).
- Nivo Slider 1.x versions prior to 3.0.0