[Security-news] Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067
security-news at drupal.org
security-news at drupal.org
Wed Oct 17 22:54:45 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-067
Project: Workbench Moderation [1]
Date: 2018-October-17
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
The Workbench Moderation module adds arbitrary moderation states to Drupal
core's "unpublished" and "published" node states, and affects the behavior of
node revisions when nodes are published.
In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.
This issue is related to the Drupal Core release SA-CORE-2018-006 [3].
Solution:
Install the latest version:
* If you use the Workbench Moderation module for Drupal 8.x, upgrade to
Workbench Moderation 8.x-1.4 [4]
Also see the Drupal core [5] project page.
Reported By:
* Roland Kovacsics [6]
Fixed By:
* Wim Leers [7]
* Daniel Wehner [8]
* Sam Becker [9]
* Tim Millwood [10]
* Alex Pott [11] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team
[1] https://www.drupal.org/project/workbench_moderation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/project/workbench_moderation/releases/8.x-1.4
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/user/3528385
[7] https://www.drupal.org/user/99777
[8] https://www.drupal.org/user/99340
[9] https://www.drupal.org/user/1485048
[10] https://www.drupal.org/user/227849
[11] https://www.drupal.org/user/157725
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/larowlan
More information about the Security-news
mailing list