<div dir="ltr">Prezados.<br><div><div class="gmail_quote"><br>View online: <a href="https://www.drupal.org/sa-contrib-2021-007" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2021-007</a><br>
<br>
Project: Gutenberg [1]<br>
Version: 8.x-2.x-dev8.x-1.x-dev<br>
Date: 2021-May-12<br>
Security risk: *Critical* 18∕25<br>
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>
Vulnerability: Cross site scripting<br>
<br>
Description: <br>
This module provides a new UI experience for node editing using the Gutenberg<br>
Editor library.<br>
<br>
The module did not correctly validate access rules in certain situations<br>
allowing anonymous users to delete blocks.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12 [3]<br>
   * If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0 [4]<br>
   * For roles other than administrator, the "Administer Gutenberg" (8.x-1.x)<br>
     or the "Use Gutenberg" (8.x-2.x) permission must be given to view and<br>
     delete reusable blocks.<br>
<br>
Reported By: <br>
   * Stephan Zeidler [5]<br>
   * Mariusz Andrzejewski [6]<br>
<br>
Fixed By: <br>
   * Stephan Zeidler [7]<br>
   * codebymikey [8]<br>
   * Marco Fernandes [9]<br>
<br>
Coordinated By: <br>
   * Damien McKenna [10] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/gutenberg" rel="noreferrer" target="_blank">https://www.drupal.org/project/gutenberg</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/gutenberg/releases/8.x-1.12" rel="noreferrer" target="_blank">https://www.drupal.org/project/gutenberg/releases/8.x-1.12</a><br>
[4] <a href="https://www.drupal.org/project/gutenberg/releases/8.x-2.0" rel="noreferrer" target="_blank">https://www.drupal.org/project/gutenberg/releases/8.x-2.0</a><br>
[5] <a href="https://www.drupal.org/user/767652" rel="noreferrer" target="_blank">https://www.drupal.org/user/767652</a><br>
[6] <a href="https://www.drupal.org/user/3517832" rel="noreferrer" target="_blank">https://www.drupal.org/user/3517832</a><br>
[7] <a href="https://www.drupal.org/user/767652" rel="noreferrer" target="_blank">https://www.drupal.org/user/767652</a><br>
[8] <a href="https://www.drupal.org/user/3573206" rel="noreferrer" target="_blank">https://www.drupal.org/user/3573206</a><br>
[9] <a href="https://www.drupal.org/user/2127558" rel="noreferrer" target="_blank">https://www.drupal.org/user/2127558</a><br>
[10] <a href="https://www.drupal.org/u/damienmckenna" rel="noreferrer" target="_blank">https://www.drupal.org/u/damienmckenna</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>
</div></div></div>