Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Downloads
Download emfield-5.x-1.11.tar.gztar.gz
85.91 KB
MD5: 909207aa52036e79cf83961668a3a5d7
SHA-1: acf9c6c22534f5c4ed0aff5fe0ebf263c80d11ea
SHA-256: a25fc97ce3fb23ddec9dcca919c0b83ac7f38db1e3f1aa22f95aadcf31ccf7d0
Download emfield-5.x-1.11.zipzip
136.45 KB
MD5: d34e58b5ae29cc1d1ff63dccbcb4ac64
SHA-1: e3f4c330caffc6a56ca788f981d86b88f751670d
SHA-256: 20e2012b79774859247184f7b07702ab5c6653a09c1d132378a212fe17045208
Release notes
- Advisory ID: SA-CONTRIB-2010-094
- Project: Embedded Media Field (third-party module)
- Version: 5.x, 6.x
- Date: 2010-September-22
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Embedded Media Field project is a set of modules that allows editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters.
The Embedded Video Field module (packaged with the project) allows videos to be displayed in a modal popup using the Lightbox2, Shadowbox, Colorbox, and Thickbox modules. In some cases, this did not correctly check that the user had field level access to the source video, allowing direct queries to the backend URL to display videos which the user would otherwise be unable to access.
Versions affected
- Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and 6.x-2.0
- Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10
Drupal core is not affected. If you do not use the contributed Embedded Media Field module, together with the Embedded Video Field module there is nothing you need to do.
Solution
Install the latest version:
- If you use the Embedded Media Field module for Drupal 6.x upgrade to Embedded Media Field 6.x-2.1 or Embedded Media Field 6.x-1.25
- If you use the Embedded Media Field module for Drupal 5.x upgrade to Embedded Media Field 5.x-1.11
See also the Embedded Media Field project page.
Important note
Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x (or greater) of Embedded Media Field should be aware that as of version DRUPAL 6.x-2.x the module no longer provides direct support for third party media providers, instead acting as an API for other modules to use. All providers previously supported directly in earlier versions are now supported externally; see the partial list at the project page for a list of modules offering this support (such as Media: YouTube, Media: Vimeo, and Media: Flickr). Please note that at this time there are not yet specific modules for all the individual providers; if you don't see your desired provider in that list, it most likely will be in one of the 'Flotsam' modules listed at the end of that list, which serve as a temporary placeholder. Developers interested in creating or maintaining one of these individual provider modules are encouraged to contact the module maintainers.
Reported by
- Stella Power (stella), of the Drupal security team
Fixed by
- Stella Power (stella), of the Drupal security team
- Aaron Winborn (aaron), module co-maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
