Drupal core Access control bypass
Moderate severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Package
Affected versions
>= 8.0.0, < 8.7.11
>= 8.8.0, < 8.8.1
Patched versions
8.7.11
8.8.1
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.
Solution:
If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on
/admin/config/media/media-library
. (This mitigation is not available in 8.7.x.)References