View online: https://www.drupal.org/sa-contrib-2022-054
Project: Next.js [1] Version: 1.2.01.1.01.0.0 Date: 2022-September-07 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.
The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.
Solution: If you use the Next.js module for Drupal 9.x:
1) Upgrade to version v1.3.0 [3]. 2) Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.
See the upgrade guide at https://next-drupal.org/docs/upgrade-guide [4].
Reported By: * Lauri Eskola [5]
Fixed By: * Lauri Eskola [6] * shadcn [7] * Minnur Yunusov [8]
Coordinated By: * Damien McKenna [9] of the Drupal Security Team
[1] https://www.drupal.org/project/next [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/next/releases/1.3.0 [4] https://next-drupal.org/docs/upgrade-guide [5] https://www.drupal.org/user/1078742 [6] https://www.drupal.org/user/1078742 [7] https://www.drupal.org/user/571032 [8] https://www.drupal.org/user/702026 [9] https://www.drupal.org/user/108450