DRUPAL-CONTRIB-2018-040

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_delete/DRUPAL-CONTRIB-2018-040.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-040

Published

2018-06-06T13:05:27Z

Modified

2025-12-10T23:33:30.387083Z

Summary

[none]

Details

This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

References

https://www.drupal.org/sa-contrib-2018-040

Credits

- Balazs Janos Tatar
- - https://www.drupal.org/user/649590

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/entity_delete

Package

Name: drupal/entity_delete
Purl: pkg:composer/drupal/entity_delete

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.4.0

Database specific

{
    "constraint": "<1.4.0"
}

Database specific

affected_versions

"<1.4.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_delete/DRUPAL-CONTRIB-2018-040.json"