Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

Wed, 2023-08-23 10:24 — Anonymous (not verified)

Project: Data fieldVersion: 1.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.61.0.51.0.41.0.31.0.21.0.11.0.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.16Description: The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.
Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.Solution: Install the latest version:

If you use the Data Field module for Drupal 1.x, upgrade to Data Field 1.0.16

Reported By:

Mitch Portier

Fixed By:

Mitch Portier
Damien McKenna of the Drupal Security Team
NGUYEN Bao
Joseph Olstad

Coordinated By:

Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Stella Power of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-040

Search form

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040