DRUPAL-CONTRIB-2023-002

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_browser/DRUPAL-CONTRIB-2023-002.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-002
Published
2023-01-18T17:28:05Z
Modified
2025-12-10T23:33:16.520874Z
Summary
[none]
Details

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/entity_browser

Package

Name
drupal/entity_browser
Purl
pkg:composer/drupal/entity_browser

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0
Database specific 
{
    "constraint": "<2.9.0"
}

Database specific

affected_versions 
"<2.9.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_browser/DRUPAL-CONTRIB-2023-002.json"