
<div dir="ltr"><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">View online: <a href="https://www.drupal.org/sa-contrib-2024-017" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-017</a><br></div></div></div><div class="gmail_quote">

<br>

Project: Advanced PWA [1]<br>

Date: 2024-April-24<br>

Security risk: *Critical* 16∕25<br>

AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>

Vulnerability: Access bypass<br>

<br>

Affected versions: <1.5.0<br>

Description: <br>

Progressive web applications are web applications that load like regular web<br>

pages or websites but can offer the user functionality such as working<br>

offline, push notifications, and device hardware access traditionally<br>

available only to native applications.<br>

<br>

This module doesn't sufficiently protect access to the settings form,<br>

allowing an unauthorized malicious user to view and modify the module<br>

settings.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you use the Advanced Progressive Web App module for Drupal 8.x, <br>

upgrade<br>

     to Advanced Progressive Web App 8.x-1.5 [3]<br>

<br>

Reported By: <br>

   * Matthew Grasmick [4]<br>

<br>

Fixed By: <br>

   * gMaximus [5]<br>

<br>

Coordinated By: <br>

   * Greg Knaddison [6] of the Drupal Security Team<br>

   * Michael Hess [7] of the Drupal Security Team<br>

   * cilefen [8] of the Drupal Security Team<br>

   * Cathy Theys [9] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/advanced_pwa" rel="noreferrer" target="_blank">https://www.drupal.org/project/advanced_pwa</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/advanced_pwa/releases/8.x-1.5" rel="noreferrer" target="_blank">https://www.drupal.org/project/advanced_pwa/releases/8.x-1.5</a><br>

[4] <a href="https://www.drupal.org/user/455714" rel="noreferrer" target="_blank">https://www.drupal.org/user/455714</a><br>

[5] <a href="https://www.drupal.org/user/1612496" rel="noreferrer" target="_blank">https://www.drupal.org/user/1612496</a><br>

[6] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>

[7] <a href="https://www.drupal.org/user/102818" rel="noreferrer" target="_blank">https://www.drupal.org/user/102818</a><br>

[8] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>

[9] <a href="https://www.drupal.org/user/258568" rel="noreferrer" target="_blank">https://www.drupal.org/user/258568</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>

</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>