View online: https://www.drupal.org/sa-contrib-2024-012
Project: Private content [1] Date: 2024-February-28 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <2.1.0 Description: This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.
The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".
Solution: Install the latest version:
* If you use the Private Content module for Drupal 8.x, upgrade to Private Content 8.x-2.1 [3]
Reported By: * kiwimind [4]
Fixed By: * Adam Shepherd [5]
Coordinated By: * Greg Knaddison [6] of the Drupal Security Team * Juraj Nemec [7] of the Drupal Security Team
[1] https://www.drupal.org/project/private_content [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/private_content/releases/8.x-2.1 [4] https://www.drupal.org/user/749470 [5] https://www.drupal.org/user/2650563 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/272316