Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004 - Security-news

23 Jan 2019


      View online: https://www.drupal.org/sa-contrib-2019-004
Project: Preview Link [1]
Date: 2019-January-23
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description: 
The Preview Link module enables you to generate preview links so anonymous
users can access unpublished revisions of content.
The last release of the module introduced an access bypass allowing users to
present invalid tokens but still access unpublished content.
Solution: 
Install the latest version:
* If you use the Preview Link module for Drupal 8.x, upgrade to Preview 
Link
     8.x-1.1 [3]
Also see the Preview Link [4] project page.
Reported By: 
   * Daniel   [5]
Fixed By: 
   * Daniel   [6]
Coordinated By: 
   * Lee Rowlands [7] of the Drupal Security Team
[1] https://www.drupal.org/project/preview_link
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/preview_link/releases/8.x-1.1
[4] https://www.drupal.org/project/preview_link
[5] https://www.drupal.org/user/81431
[6] https://www.drupal.org/user/81431
[7] https://www.drupal.org/user/larowlan