Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Project: Config Pages
Version: 8.x-2.8, 8.x-2.7, 8.x-2.6, 8.x-2.5,8.x-2.4, 8.x-2.3, 8.x-2.2, 8.x-2.1, 8.x-2.0
Date: 2023-August-23
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions: <2.9.0

Description

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.

Solution

Install the latest version:

If you use the Config Pages module for Drupal 8+, upgrade to Config Pages 8.x-2.9