[Security-news] Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071
security-news at drupal.org
security-news at drupal.org
Wed Oct 31 18:13:28 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-071
Project: Decoupled Router [1]
Version: 8.x-1.18.x-1.0
Date: 2018-October-31
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module enables you to resolve the provided Drupal path in order to find
the canonical path and information about the resolved entity. This
information includes entity type ID, entity ID, entity UUID and entity label.
The module doesn't sufficiently check access before displaying entity labels.
This leads to the display of labels on entities that are not be accessible,
for example; titles of unpublished content.
Solution:
Install the latest version:
* If you use the Decoupled Router module for Drupal 8.x, upgrade to
Decoupled Router 8.x-1.2 [3]
Also see the Decoupled Router [4] project page.
Reported By:
* Rainer Friederich [5]
Fixed By:
* Mateu Aguiló Bosch [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Michael Hess (mlhess) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/decoupled_router
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/decoupled_router/releases/8.x-1.2
[4] https://www.drupal.org/project/decoupled_router
[5] https://www.drupal.org/user/3066367
[6] https://www.drupal.org/user/550110
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/102818
More information about the Security-news
mailing list