DRUPAL-CONTRIB-2024-034

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/freelinking/DRUPAL-CONTRIB-2024-034.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-034

Aliases

CVE-2024-13270

Published

2024-09-04T15:35:55Z

Modified

2025-12-10T23:41:24.365971Z

Summary

[none]

Details

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.

The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.

References

https://www.drupal.org/sa-contrib-2024-034

Credits

- Matthew Radcliffe
- - https://www.drupal.org/user/157079

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/freelinking

Package

Name: drupal/freelinking
Purl: pkg:composer/drupal/freelinking

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

4.0.1

Database specific

{
    "constraint": "<4.0.1"
}

Database specific

affected_versions

"<4.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/freelinking/DRUPAL-CONTRIB-2024-034.json"