Date:
Wednesday, Aug 23rd, 2023
Advisory ID:
BACKDROP-SA-CONTRIB-2023-007
Security risk:
Critical
Vulnerability:
Remote Code Execution
Versions affected:
- Content Access, all versions prior to 1.x-1.3.0
Description:
This module allows you to manage permissions for content types by role. It allows you to specify custom view, view own, edit, edit own, delete and delete own permissions for each content type. This module integrates with the ACL module.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker needs the "Grant content access" or "Grant own content access" permission.
This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, which Content Access can integrate with.
Solution:
Install the latest version:
- If you use the Content Access module upgrade to Content Access 1.x-1.3.0
The ACL module (an optional integration) should also be updated.
Reported By:
- Drew Webber of the Drupal Security Team
Fixed By:
- Laryn Kragt Bakker, Backdrop module maintainer
- Jen Lampton of the Backdrop CMS Security Team
Coordinated By:
- Jen Lampton of the Backdrop CMS Security Team