Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

Project: Existing Values Autocomplete WidgetDate: 2019-July-24Security risk: Critical 17∕25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.
The module doesn't sufficiently check for proper access permission before returning autocomplete results.
This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.Solution: Install the latest version:

Also see the Existing Values Autocomplete Widget project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2019-060