SA-CORE-2023-002
First published: Wed Mar 15 2023(Updated: )
The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward.
Credit: James Williams Dan Flanagan
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Drupal Drupal | <10.0.5<9.5.5<9.4.12 | 10.0.5 9.5.5 9.4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of SA-CORE-2023-002?
The severity of SA-CORE-2023-002 is classified as moderate due to improper access checks for media thumbnails.
How do I fix SA-CORE-2023-002?
To fix SA-CORE-2023-002, update your Drupal installation to a version that is not vulnerable, specifically versions higher than 10.0.5, 9.5.5, or 9.4.12.
Who is affected by SA-CORE-2023-002?
SA-CORE-2023-002 affects users of Drupal versions 10.0.5, 9.5.5, and 9.4.12 who utilize the Media module.
What are the implications of SA-CORE-2023-002?
The implications of SA-CORE-2023-002 include unauthorized access to thumbnails of media items for users without proper permissions.
Is there any ongoing support for SA-CORE-2023-002?
No, SA-CORE-2023-002 is not covered by Drupal Steward, and users should manage their updates independently.
- agent/references
- agent/severity
- agent/last-modified-date
- agent/author
- agent/source
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/drupal-advisory
- source/Drupal
- agent/software-canonical-lookup
- vendor/drupal
- canonical/drupal drupal