[Security-news] Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002
security-news at drupal.org
security-news at drupal.org
Wed Jan 10 19:33:42 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-002
Project: Node View Permissions [1]
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass
Description:
The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.
This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.
* This issue was fixed by the maintainer outside of the normal security team
protocols. Some issues were patched in 2014 for the 7.x version of this
module. The 8.x release was updated within the last 6 months. Both are now
flagged as security updates.*
Solution:
Install the latest version:
* If you use the Node View Permissions module for Drupal 7.x, upgrade to
Node View Permissions 7.x-1.5 [3] or higher.
* If you use the Node View Permissions module for Drupal 8.x, upgrade to
Node View Permissions 8.x-1.1 [4] or higher.
Reported By:
* Heikki Kesa [5]
Fixed By:
* The module maintainer
Coordinated By:
* David Rothstein [6] Of the Drupal Security Team
[1] https://www.drupal.org/project/node_view_permissions
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/node_view_permissions/releases/7.x-1.5
[4] https://www.drupal.org/project/node_view_permissions/releases/8.x-1.1
[5] https://www.drupal.org/u/heikki
[6] https://www.drupal.org/u/david_rothstein
More information about the Security-news
mailing list