Downloads

Download tar.gz 210.34 KB
MD5: 6b1ea5c327f2b272ffcf9ba64674d557
SHA-1: dbd12dcd435f445f0a000e2dbc0888bb033f94ce
SHA-256: 41dec38e2bdd2455f3598d16b855e25d4e4b40fc84c7c6f92df500a85f3b831d
Download zip 234.83 KB
MD5: 05b3bcc842de1d10ca1bc66fcee748d6
SHA-1: bb68588c5031c89f3d7849704c194ab4f5fe7347
SHA-256: cdb69ff22e768b4861619f2fac1fdc9ef26a3e10d7082b20a35ab2e54b879268

Release notes

  • Advisory ID: SA-CONTRIB-2010-094
  • Project: Embedded Media Field (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-September-22
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

Description

The Embedded Media Field project is a set of modules that allows editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters.

The Embedded Video Field module (packaged with the project) allows videos to be displayed in a modal popup using the Lightbox2, Shadowbox, Colorbox, and Thickbox modules. In some cases, this did not correctly check that the user had field level access to the source video, allowing direct queries to the backend URL to display videos which the user would otherwise be unable to access.

Versions affected

  • Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and 6.x-2.0
  • Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10

Drupal core is not affected. If you do not use the contributed Embedded Media Field module, together with the Embedded Video Field module there is nothing you need to do.

Solution

Install the latest version:

See also the Embedded Media Field project page.

Important note

Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x (or greater) of Embedded Media Field should be aware that as of version DRUPAL 6.x-2.x the module no longer provides direct support for third party media providers, instead acting as an API for other modules to use. All providers previously supported directly in earlier versions are now supported externally; see the partial list at the project page for a list of modules offering this support (such as Media: YouTube, Media: Vimeo, and Media: Flickr). Please note that at this time there are not yet specific modules for all the individual providers; if you don't see your desired provider in that list, it most likely will be in one of the 'Flotsam' modules listed at the end of that list, which serve as a temporary placeholder. Developers interested in creating or maintaining one of these individual provider modules are encouraged to contact the module maintainers.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Created by: aaron
Created on: 22 Sep 2010 at 14:08 UTC
Last updated: 1 Aug 2018 at 21:28 UTC
Git tag 6.x-2.1
Security update
Insecure
Unsupported

Other releases