DRUPAL-CONTRIB-2023-004

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/media_library_form_element/DRUPAL-CONTRIB-2023-004.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-004

Published

2023-01-18T17:49:04Z

Modified

2025-12-10T23:33:20.517378Z

Summary

[none]

Details

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

References

https://www.drupal.org/sa-contrib-2023-004

Credits

- Benji Fisher
- - https://www.drupal.org/user/683300
- Dan Flanagan
- - https://www.drupal.org/user/3615359

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/media_library_form_element

Package

Name: drupal/media_library_form_element
Purl: pkg:composer/drupal/media_library_form_element

Affected ranges

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.6

Database specific

{
    "constraint": ">=2.0 <2.0.6"
}

Database specific

affected_versions

">=2.0 <2.0.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/media_library_form_element/DRUPAL-CONTRIB-2023-004.json"