Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

Project: Media Library Form API ElementVersion: 8.x-1.38.x-1.28.x-1.1Date: 2023-January-18Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: >=2.0 <2.0.6Description: This module enables you to use the media library in custom forms without the Media Library Widget.
The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.Solution: Install the latest version:

  • If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
  • If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2023-004