Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

Project: Entity Delete
Date: 2018-June-06
Security risk: *Critical* 18∕25
Vulnerability: Multiple Vulnerabilities

Description

 
This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use
cases, leading to access bypass. The module also does not protect against
Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker
must have a role with the permission "access content". There is no additional
mitigation for the Cross Site Request Forgery vulnerability.

Solution

 
Install the latest version:

* If you use the Entity Delete module for Drupal 8.x, upgrade to Entity Delete 8.x-1.4

Also see the Entity Delete project page.

Add new comment