<div dir="ltr"><br><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2021-023" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2021-023</a><br>
<br>
Project: Form mode manager [1]<br>
Date: 2021-July-21<br>
Security risk: *Moderately critical* 11∕25<br>
AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:Default [2]<br>
Vulnerability: Access bypass<br>
<br>
Description: <br>
This module provides a user interface that allows the implementation and use<br>
of /Form modes/ without custom development.<br>
<br>
The module does not sufficiently respect access restrictions to entity forms<br>
for routes it creates to use specific form modes.<br>
<br>
This vulnerability is mitigated by the fact that an attacker must have a role<br>
with the permission to use a specific form mode, for example use X form mode.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you use the Form mode manager module 8.x-1.x series for Drupal 8,<br>
     upgrade to form_mode_manager 8.x-1.4 [3].<br>
<br>
Reported By: <br>
   * Byron Duvall [4]<br>
   * Jason Partyka [5]<br>
   * Bec  [6]<br>
<br>
Fixed By: <br>
   * Byron Duvall [7]<br>
   * Derek Wright [8]<br>
<br>
Coordinated By: <br>
   * Greg Knaddison [9] of the Drupal Security Team<br>
   * Damien McKenna [10] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/form_mode_manager" rel="noreferrer" target="_blank">https://www.drupal.org/project/form_mode_manager</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/form_mode_manager/releases/8.x-1.4" rel="noreferrer" target="_blank">https://www.drupal.org/project/form_mode_manager/releases/8.x-1.4</a><br>
[4] <a href="https://www.drupal.org/user/1279040" rel="noreferrer" target="_blank">https://www.drupal.org/user/1279040</a><br>
[5] <a href="https://www.drupal.org/user/344048" rel="noreferrer" target="_blank">https://www.drupal.org/user/344048</a><br>
[6] <a href="https://www.drupal.org/user/81067" rel="noreferrer" target="_blank">https://www.drupal.org/user/81067</a><br>
[7] <a href="https://www.drupal.org/user/1279040" rel="noreferrer" target="_blank">https://www.drupal.org/user/1279040</a><br>
[8] <a href="https://www.drupal.org/user/46549" rel="noreferrer" target="_blank">https://www.drupal.org/user/46549</a><br>
[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[10] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>
</div></div>