Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036
Project: Flexi AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that known exploit paths require an attacker to have a combination of permissions provided by the module; for example "access flexiaccess" and "flexiaccess view". See _flexiaccess_node_access() for details. The "administer flexiaccess" permission alone does not grant access to the vulnerable functionality.
This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Flexi Access depends.Solution: Install the latest version:
- If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi Access 7.x-1.3.
The ACL module (a dependency) must also be updated.
Reported By:
- Drew Webber of the Drupal Security Team
Fixed By:
- Drew Webber of the Drupal Security Team
- Gisle Hannemyr
Coordinated By:
- Drew Webber of the Drupal Security Team
- Cathy Theys of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
