Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2023-May-31
Vulnerability:
Access bypass
Affected versions:
<1.21.0 || >=2.0.0 <2.0.4
Description:
This module provides social media share & follow buttons.
The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.
This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.
Solution:
Install the latest version:
- If you use the AddToAny Share Buttons module for Drupal 9.4+ or 10, upgrade to AddToAny 2.0.4
- If you use the AddToAny Share Buttons module for Drupal versions before 9.4, upgrade to AddToAny 8.x-1.21
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
