Guy Elsmore-Paddock

**Name of the Vulnerable Software and Affected Versions** Drupal versions prior to the fixed version **Description** The Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this issue. This is mitigated by the fact that it only applies when the site sets `$config['image.settings']['allow insecure derivatives']` or `$conf['image allow insecure derivatives']` to TRUE. The recommended and default setting is FALSE. **Recommendations** For Drupal 9, ensure that `$config['image.settings']['allow insecure derivatives']` is set to FALSE. For Drupal 7, ensure that `$conf['image allow insecure derivatives']` is set to FALSE. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating. Consider reviewing and adjusting the configuration of contributed modules that provide additional file systems or schemes to minimize potential risks.