Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee EdgeVersion: 8.x-1.x-devDate: 2020-July-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.
The "Apigee Edge Teams" submodule has an information disclosure vulnerability. The "Add team member" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.
This vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the "Manage team members" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).Solution: Install the latest version:

Also see the Apigee Edge project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2020-028