Vulnerability from drupal
Published
2023-06-28 17:15
Modified
2023-07-31 21:17
Summary
Details

This module enables a UI to display all libraries provided by modules and themes on the Drupal site.

The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission.

The vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.

Credits
Jörg Riemenschneider www.drupal.org/user/2809357
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.1.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/libraries_ui"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.1.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/2809357"
      ],
      "name": "J\u00f6rg Riemenschneider"
    }
  ],
  "details": "This module enables a UI to display all libraries provided by modules and themes on the Drupal site.\n\nThe module doesn\u0027t sufficiently protect the libraries reporting page. It curently is using the \u0027access content\u0027 permission and not a proper administrative/access permission.\n\nThe vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.",
  "id": "DRUPAL-CONTRIB-2023-027",
  "modified": "2023-07-31T21:17:46.000Z",
  "published": "2023-06-28T17:15:03.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2023-027"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.