Downloads

Download tar.gz 256.99 KB
MD5: 414efd66cd5223d0959f5234169800b3
SHA-1: 5e701f2019d618f3179734aa31d30392d85b4b46
SHA-256: 347436b16f675b5a88ba35a47287752ecba3784393c2b68625020c47a418cc0c
Download zip 321.2 KB
MD5: 0c0a683e4fec8586cfaf03fa83bc4517
SHA-1: 5fbdc4ba097ce11b1350e7fccd207c06d51cb84c
SHA-256: d06fc4d1f51d8cedb930945a24da4824f74dd28b51c1db417a4c79d7689910aa

Release notes

  • Advisory ID: SA-CONTRIB-2010-094
  • Project: Embedded Media Field (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-September-22
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

Description

The Embedded Media Field project is a set of modules that allows editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters.

The Embedded Video Field module (packaged with the project) allows videos to be displayed in a modal popup using the Lightbox2, Shadowbox, Colorbox, and Thickbox modules. In some cases, this did not correctly check that the user had field level access to the source video, allowing direct queries to the backend URL to display videos which the user would otherwise be unable to access.

Versions affected

  • Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and 6.x-2.0
  • Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10

Drupal core is not affected. If you do not use the contributed Embedded Media Field module, together with the Embedded Video Field module there is nothing you need to do.

Solution

Install the latest version:

See also the Embedded Media Field project page.

Important note

Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x (or greater) of Embedded Media Field should be aware that as of version DRUPAL 6.x-2.x the module no longer provides direct support for third party media providers, instead acting as an API for other modules to use. All providers previously supported directly in earlier versions are now supported externally; see the partial list at the project page for a list of modules offering this support (such as Media: YouTube, Media: Vimeo, and Media: Flickr). Please note that at this time there are not yet specific modules for all the individual providers; if you don't see your desired provider in that list, it most likely will be in one of the 'Flotsam' modules listed at the end of that list, which serve as a temporary placeholder. Developers interested in creating or maintaining one of these individual provider modules are encouraged to contact the module maintainers.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Created by: aaron
Created on: 22 Sep 2010 at 14:07 UTC
Last updated: 1 Aug 2018 at 21:28 UTC
Git tag 6.x-1.25
Security update
Insecure
Unsupported

Other releases