Drupal Patches Vulnerabilities Leading to Information Disclosure
20-Jan-23
This week, Drupal released software upgrades to address four vulnerabilities in the Drupal core and three plugins that might provide third parties access to data. The Media Library module sometimes fails to do enough entity access checks, which might permit users who have permission to modify content to read metadata about media assets to which they shouldn’t have access. The Media Library Form API Element plugin, which enables the usage of the media library in custom forms without requiring the use of the Media Library Widget, is also affected by the same problem. Vulnerabilities are “mitigated by the fact that the inaccessible material will only be exposed to users who already have the ability to modify content that includes a media reference field.”
