Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

Project:

Responsive and off-canvas menu

Date:

2024-August-21

Security risk:

Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

Affected versions:

<4.4.4

CVE IDs:

CVE-2024-13266

Description:

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths.

The module doesn't respect custom node access restrictions implemented through hook_ENTITY_TYPE_access hooks meaning the titles of restricted nodes can appear in the menu.

Only sites with modules that implement hook_ENTITY_TYPE_access to restrict access to nodes are effected.

Solution:

Install the latest version:

If you use the 4.x branch of the responsive_menu module upgrade to 4.4.4

Reported By:

collinhaines

Fixed By:

Stephen Cox

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
Drew Webber of the Drupal Security Team

Contribution record

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community