View online: https://www.drupal.org/sa-contrib-2018-071
Project: Decoupled Router [1] Version: 8.x-1.18.x-1.0 Date: 2018-October-31 Security risk: *Critical* 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Description: This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.
The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.
Solution: Install the latest version:
* If you use the Decoupled Router module for Drupal 8.x, upgrade to Decoupled Router 8.x-1.2 [3]
Also see the Decoupled Router [4] project page.
Reported By: * Rainer Friederich [5]
Fixed By: * Mateu Aguiló Bosch [6]
Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Michael Hess (mlhess) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/decoupled_router [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/decoupled_router/releases/8.x-1.2 [4] https://www.drupal.org/project/decoupled_router [5] https://www.drupal.org/user/3066367 [6] https://www.drupal.org/user/550110 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/102818