Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034
Project: FreelinkingDate: 2024-September-04Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <4.0.1Description: This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.
The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.Solution: Install the latest version:
- If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
- If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team