Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Wed, 2023-08-23 09:54 — Anonymous (not verified)

Project: Config PagesVersion: 8.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.9.0Description: This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.
The module doesn't sufficiently validate access when the JSONAPI module is also installed.
This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.Solution: Install the latest version:

If you use the Config Pages module for Drupal 8+, upgrade to Config Pages 8.x-2.9

Reported By:

Nate Andersen

Fixed By:

Coordinated By:

Damien McKenna of the Drupal Security Team
Michael Hess of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-037

Search form

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037