View online: https://www.drupal.org/sa-contrib-2018-067
Project: Workbench Moderation [1] Date: 2018-October-17 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Description: The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
This issue is related to the Drupal Core release SA-CORE-2018-006 [3].
Solution: Install the latest version:
* If you use the Workbench Moderation module for Drupal 8.x, upgrade to Workbench Moderation 8.x-1.4 [4]
Also see the Drupal core [5] project page.
Reported By: * Roland Kovacsics [6]
Fixed By: * Wim Leers [7] * Daniel Wehner [8] * Sam Becker [9] * Tim Millwood [10] * Alex Pott [11] of the Drupal Security Team
Coordinated By: * Greg Knaddison [12] of the Drupal Security Team * Lee Rowlands [13] of the Drupal Security Team
[1] https://www.drupal.org/project/workbench_moderation [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/project/workbench_moderation/releases/8.x-1.4 [5] https://www.drupal.org/project/drupal [6] https://www.drupal.org/user/3528385 [7] https://www.drupal.org/user/99777 [8] https://www.drupal.org/user/99340 [9] https://www.drupal.org/user/1485048 [10] https://www.drupal.org/user/227849 [11] https://www.drupal.org/user/157725 [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/larowlan