TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

Project: TableFieldVersion: 7.x-3.x-dev7.x-2.x-devDate: 2019-May-29Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass and Cross Site ScriptingDescription: This module allows you to attach tabular data to an entity.
Access bypass
There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.
XSS
When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.
This vulnerability is mitigated by the fact that an attacker must have a role with Edit permissions.Solution: Install the latest version:

Also see the TableField project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2019-051