Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Project:

Form mode manager

Date:

2021-July-21

Security risk:

Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:Default

Vulnerability:

Access bypass

Affected versions:

<1.4.0

Description:

This module provides a user interface that allows the implementation and use of Form modes without custom development.

The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example use X form mode.

Solution:

Install the latest version:

If you use the Form mode manager module 8.x-1.x series for Drupal 8, upgrade to form_mode_manager 8.x-1.4.

Reported By:

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community