Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Project: Fancy File Delete
Date: 2022-February-09
Security risk: Moderately critical 14∕25 
Vulnerability: Access Bypass

Description

This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.

To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities".

Solution

Install the latest version and do check your views configuration:

1. If you use the Fancy File Delete module for Drupal ^8.x , upgrade to Fancy File Delete 2.0.7
2. Review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities".