View online: https://www.drupal.org/sa-contrib-2018-002
Project: Node View Permissions [1] Version: 8.x-1.x-dev7.x-1.x-dev Date: 2018-January-10 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access Bypass
Description: The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.
This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.
* This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.*
Solution: Install the latest version:
* If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.5 [3] or higher. * If you use the Node View Permissions module for Drupal 8.x, upgrade to Node View Permissions 8.x-1.1 [4] or higher.
Reported By: * Heikki Kesa [5]
Fixed By: * The module maintainer
Coordinated By: * David Rothstein [6] Of the Drupal Security Team
[1] https://www.drupal.org/project/node_view_permissions [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/node_view_permissions/releases/7.x-1.5 [4] https://www.drupal.org/project/node_view_permissions/releases/8.x-1.1 [5] https://www.drupal.org/u/heikki [6] https://www.drupal.org/u/david_rothstein