Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Project: Custom Permissions
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass

Description

 

Custom Permissions is a lightweight module that allows permissions to be
created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which
rebuilds some of Drupal's caches can trigger a scenario in which certain
pages protected by this module's custom permissions temporarily lose those
custom access controls, thereby leading to an access bypass vulnerability.

Solution

Install the latest version:

If you use the Custom Permissions module for Drupal 8, upgrade to Custom Permissions 8.x-1.1

Add new comment