[Security-news] Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060
security-news at drupal.org
security-news at drupal.org
Wed Sep 19 16:40:27 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-060
Project: Renderkit [1]
Date: 2018-September-19
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
This module, typically in combination with cfr:cfrplugin, allows to compose
behaviors from granular components. One of such behaviors is to display a
list of related entities, for a given source entity and a given entity
relation (e.g. an entity reference field).
The components that display related content do not check if the user has
access to view the related entities. This way e.g. unpublished nodes may be
displayed to anonymous visitors.
This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related"
entities for a source entity, using cfr:cfrplugin, OR a programmer has used
one of the affected components in code.
- a source entity displayed this way must reference access-restricted
content.
Solution:
Install the latest version:
* If you use the Renderkit module for Drupal 7.x, upgrade to Renderkit
7.x-1.6 [3]
Also see the Renderkit [4] project page.
Reported By:
* Andreas Hennings [5]
Fixed By:
* Andreas Hennings [6]
Coordinated By:
* Lee Rowlands [7]
[1] https://www.drupal.org/project/renderkit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/renderkit/releases/7.x-1.6
[4] https://www.drupal.org/project/renderkit
[5] https://www.drupal.org/user/459338
[6] https://www.drupal.org/user/459338
[7] https://www.drupal.org/u/larowlan
More information about the Security-news
mailing list