Relation - Moderately Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-063
* Project: Relation (third-party module)
* Version: 7.x
* Date: 2017-August-09
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables you to store relationships between entities as fieldable
entities.

The module doesn't sufficiently check permissions when displaying related
entities labels with the Relation Dummy Field module widget.

This vulnerability is mitigated by the fact that the optional Relation Dummy
Field module must be enabled and any entity must be configured to display
related entities with the widget provided by the module.

VERSIONS AFFECTED

* Relation 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Relation module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the Relation module for Drupal 7.x, upgrade to Relation 7.x-1.1

Also see the Relation project page: https://www.drupal.org/project/relation

Add new comment