[Security-news] Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004
security-news at drupal.org
security-news at drupal.org
Wed Jan 23 19:13:50 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-004
Project: Preview Link [1]
Date: 2019-January-23
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
The Preview Link module enables you to generate preview links so anonymous
users can access unpublished revisions of content.
The last release of the module introduced an access bypass allowing users to
present invalid tokens but still access unpublished content.
Solution:
Install the latest version:
* If you use the Preview Link module for Drupal 8.x, upgrade to Preview
Link
8.x-1.1 [3]
Also see the Preview Link [4] project page.
Reported By:
* Daniel [5]
Fixed By:
* Daniel [6]
Coordinated By:
* Lee Rowlands [7] of the Drupal Security Team
[1] https://www.drupal.org/project/preview_link
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/preview_link/releases/8.x-1.1
[4] https://www.drupal.org/project/preview_link
[5] https://www.drupal.org/user/81431
[6] https://www.drupal.org/user/81431
[7] https://www.drupal.org/user/larowlan
More information about the Security-news
mailing list