View online: https://www.drupal.org/sa-contrib-2023-047
Project: Content Moderation Notifications [1] Date: 2023-September-27 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:All [2] Vulnerability: Information disclosure
Affected versions: >=3.0.0 <3.6.0 Description: This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.
The module doesn't sufficiently check access to content when sending notifications. This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.
Solution: Install the latest version:
* If you use the Content Moderation Notifications module for Drupal 8.x, upgrade to Content Moderation Notifications 8.x-3.6 [3].
Reported By: * lucasantunes [4]
Fixed By: * Jonathan Hedstrom [5] * Luke Leber [6] * Rob Holmes [7]
Coordinated By: * Jess [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team
[1] https://www.drupal.org/project/content_moderation_notifications [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/content_moderation_notifications/releases/8.x... [4] https://www.drupal.org/user/3603448 [5] https://www.drupal.org/user/208732 [6] https://www.drupal.org/user/3509746 [7] https://www.drupal.org/user/1774034 [8] https://www.drupal.org/user/65776 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/102818