[Security-news] Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012
security-news at drupal.org
security-news at drupal.org
Wed Feb 28 19:04:48 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-012
Project: Private content [1]
Date: 2024-February-28
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <2.1.0
Description:
This module gives each node a 'private' checkbox. If it's set, the node can
only be seen by the node author, or users with the 'access private content'
permission.
The module incorrectly grants access to private nodes under certain specific
circumstances. This vulnerability is mitigated by the fact that an attacker
must have a role with the permission "Access private content".
Solution:
Install the latest version:
* If you use the Private Content module for Drupal 8.x, upgrade to Private
Content 8.x-2.1 [3]
Reported By:
* kiwimind [4]
Fixed By:
* Adam Shepherd [5]
Coordinated By:
* Greg Knaddison [6] of the Drupal Security Team
* Juraj Nemec [7] of the Drupal Security Team
[1] https://www.drupal.org/project/private_content
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_content/releases/8.x-2.1
[4] https://www.drupal.org/user/749470
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/272316
More information about the Security-news
mailing list