The Media Library Block module allows you to render a media entity in a block.
The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.
Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.
Install the latest version:
- If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4.
- Lee Rowlands of the Drupal Security Team
- Dan Flanagan
- ayalon
- xjm of the Drupal Security Team
- Jan Hug
- Dan Flanagan
- Dave Reid of the Drupal Security Team
- Damien McKenna of the Drupal Security Team