DRUPAL-CONTRIB-2023-034

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/acl/DRUPAL-CONTRIB-2023-034.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-034

Published

2023-08-23T14:51:16Z

Modified

2025-12-10T23:33:52.242810Z

Summary

[none]

Details

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

Forum Access
Flexi Access
Content Access

Coordinated Security Advisories are being released for those client modules that have Security coverage.

References

https://www.drupal.org/sa-contrib-2023-034

Credits

- Drew Webber
- - https://www.drupal.org/user/255969
- Samuel Mortenson
- - https://www.drupal.org/user/2582268

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/acl

Package

Name: drupal/acl
Purl: pkg:composer/drupal/acl

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.0

Database specific

{
    "constraint": "<1.0.0"
}

Database specific

affected_versions

"<1.0.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/acl/DRUPAL-CONTRIB-2023-034.json"