Anonymous user can alter fields of any subscriber

Created on 16 June 2020, over 4 years ago

Updated 22 July 2023, over 1 year ago

Configure as admin:

Exploit as hostile Anonymous:

🐛 Bug report

Status

Fixed

Version

4.0

Component

Code

Created by

🇬🇧United Kingdom adamps

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇬🇧United Kingdom adamps
Comment over 1 year ago →
🇬🇧United Kingdom adamps
Status changed to Needs review over 1 year ago1:33pm 22 July 2023
Open in Jenkins → Open on Drupal.org →
Core: 9.5.x + Environment: PHP 8.1 & MySQL 8
last update over 1 year ago
59 pass
Comment over 1 year ago →
🇬🇧United Kingdom adamps
Most of the work was done in 🐛 Model for confirmations is flawed Fixed . This patch fixes a bug and adds some tests.

AdamPS → committed ac64cced on 4.x

Issue #3152102 by AdamPS, nejcramsak: Anonymous user can alter fields of...

Status changed to Fixed over 1 year ago1:38pm 22 July 2023
Comment over 1 year ago →
🇬🇧United Kingdom adamps
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024