View online: https://www.drupal.org/sa-contrib-2019-004 Project: Preview Link [1] Date: 2019-January-23 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description:  The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content. Solution:  Install the latest version: * If you use the Preview Link module for Drupal 8.x, upgrade to Preview Link 8.x-1.1 [3] Also see the Preview Link [4] project page. Reported By:  * Daniel [5] Fixed By:  * Daniel [6] Coordinated By:  * Lee Rowlands [7] of the Drupal Security Team [1] https://www.drupal.org/project/preview_link [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/preview_link/releases/8.x-1.1 [4] https://www.drupal.org/project/preview_link [5] https://www.drupal.org/user/81431 [6] https://www.drupal.org/user/81431 [7] https://www.drupal.org/user/larowlan