Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-094
- Project: Embedded Media Field (third-party module)
- Version: 5.x, 6.x
- Date: 2010-September-22
- Security risk:
Moderately CriticalLess Critical - Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Embedded Media Field project is a set of modules that enable editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters.
The Embedded Video Field module (packaged with the project) enables videos to be displayed in a modal popup using the Lightbox2, Shadowbox, Colorbox, and Thickbox modules. In some cases checks on the user's field level access to the source video were not carried out correctly, allowing direct queries to the backend URL resulting in the display of videos which the user would otherwise be unable to access.
Versions affected
- Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and 6.x-2.0
- Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10
Drupal core is not affected. If you do not use the contributed Embedded Media Field module, together with the Embedded Video Field module there is nothing you need to do.
Solution
Install the latest version:
- If you use the Embedded Media Field module for Drupal 6.x upgrade to Embedded Media Field 6.x-2.1 or Embedded Media Field 6.x-1.25
- If you use the Embedded Media Field module for Drupal 5.x upgrade to Embedded Media Field 5.x-1.11
See also the Embedded Media Field project page.
Important note
Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x (or greater) of Embedded Media Field should be aware that as of version DRUPAL 6.x-2.x the module no longer provides direct support for third party media providers, instead it acts as an API for other modules to use. All providers previously supported directly in earlier versions are now supported externally; see the partial list at the project page for a list of modules offering this support (such as Media: YouTube, Media: Vimeo, and Media: Flickr). Please note that at this time there are not yet specific modules for all the individual providers; if you don't see your desired provider in that list, it most likely will be in one of the 'Flotsam' modules listed at the end of that list, which serve as a temporary placeholder. Developers interested in creating or maintaining one of these individual provider modules are encouraged to contact the module maintainers.
Reported by
- Stella Power (stella), of the Drupal security team
Fixed by
- Stella Power (stella), of the Drupal security team
- Aaron Winborn (aaron), module co-maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
