DRUPAL-CONTRIB-2023-004

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/media_library_form_element/DRUPAL-CONTRIB-2023-004.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-004
Published
2023-01-18T17:49:04Z
Modified
2025-12-10T23:33:20.517378Z
Summary
[none]
Details

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/media_library_form_element

Package

Name
drupal/media_library_form_element
Purl
pkg:composer/drupal/media_library_form_element

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.6
Database specific
{
    "constraint": ">=2.0 <2.0.6"
}

Database specific

affected_versions
">=2.0 <2.0.6"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/media_library_form_element/DRUPAL-CONTRIB-2023-004.json"