<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div>View online: <a href="https://www.drupal.org/sa-core-2019-011" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2019-011</a><br>
<br>
Project: Drupal core [1]<br>
Version: 8.8.x-dev8.7.x-dev<br>
Date: 2019-December-18<br>
Security risk: *Moderately critical* 10∕25<br>
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]<br>
Vulnerability: Access bypass<br>
<br>
Description: <br>
The Media Library module has a security vulnerability whereby it doesn't<br>
sufficiently restrict access to media items in certain configurations.<br>
<br>
Solution: <br>
   * If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 [3].<br>
   * If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 [4].<br>
<br>
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive<br>
security coverage.<br>
<br>
Alternatively, you may mitigate this vulnerability by unchecking the "Enable<br>
advanced UI" checkbox on /admin/config/media/media-library. (This mitigation<br>
is not available in 8.7.x.)<br>
<br>
Reported By: <br>
   * Adam G-H  [5]<br>
<br>
Fixed By: <br>
   * Adam G-H  [6]<br>
   * Jess   [7] of the Drupal Security Team<br>
   * Andrei Mateescu  [8]<br>
   * Greg Knaddison  [9] of the Drupal Security Team<br>
   * Alex Bronstein  [10] of the Drupal Security Team<br>
   * Sean Blommaert  [11]<br>
   * Lee Rowlands  [12] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://security.drupal.org/project/drupal/releases/8.7.11" rel="noreferrer" target="_blank">https://security.drupal.org/project/drupal/releases/8.7.11</a><br>
[4] <a href="https://security.drupal.org/project/drupal/releases/8.8.1" rel="noreferrer" target="_blank">https://security.drupal.org/project/drupal/releases/8.8.1</a><br>
[5] <a href="https://www.drupal.org/user/205645" rel="noreferrer" target="_blank">https://www.drupal.org/user/205645</a><br>
[6] <a href="https://www.drupal.org/user/205645" rel="noreferrer" target="_blank">https://www.drupal.org/user/205645</a><br>
[7] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>
[8] <a href="https://www.drupal.org/user/729614" rel="noreferrer" target="_blank">https://www.drupal.org/user/729614</a><br>
[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[10] <a href="https://www.drupal.org/user/78040" rel="noreferrer" target="_blank">https://www.drupal.org/user/78040</a><br>
[11] <a href="https://www.drupal.org/user/545912" rel="noreferrer" target="_blank">https://www.drupal.org/user/545912</a><br>
[12] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div></div>