- ACL versions prior to 1.x-1.4.0
The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Examples of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.
This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.
Known client modules include:
- Forum Access
- Content Access
- Flexi Access (Drupal only)
Coordinated Security Advisories are being released for those client modules that have Security coverage.
Install the latest version:
- If you use the ACL module for Backdrop 1.x, upgrade to ACL 1.x-1.4.0
Any client modules that depend on ACL should also be updated.
- Drew Webber of the Drupal Security Team
- Samuel Mortenson
- Drew Webber of the Drupal Security Team
- Hans Salvisberg
- Jen Lampton of the Backdrop CMS Security Team
- xeM8VfDh
- Drew Webber of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team