Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

Wed, 2023-01-18 09:36 — Anonymous (not verified)

Project: Media Library BlockDate: 2023-January-18Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=1.0 <1.0.4Description: The Media Library Block module allows you to render a media entity in a block.
The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.
Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.Solution: Install the latest version:

If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4.

Reported By:

Lee Rowlands of the Drupal Security Team
Dan Flanagan

Fixed By:

ayalon
xjm of the Drupal Security Team
Jan Hug
Dan Flanagan

Coordinated By:

Dave Reid of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-003

Search form

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003