[IT-SecNots] [Security-news] Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-002

Project: Node View Permissions [1]
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass

Description: 
The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.

* This issue was fixed by the maintainer outside of the normal security team
protocols. Some issues were patched in 2014 for the 7.x version of this
module.  The 8.x release was updated within the last 6 months. Both are now
flagged as security updates.*

Solution: 
Install the latest version:

  * If you use the Node View Permissions module for Drupal 7.x, upgrade to
    Node View Permissions 7.x-1.5 [3] or higher.
  * If you use the Node View Permissions module for Drupal 8.x, upgrade to
    Node View Permissions 8.x-1.1 [4] or higher.

Reported By: 
  * Heikki Kesa [5]

Fixed By: 
  * The  module maintainer

Coordinated By: 
  * David Rothstein [6] Of the Drupal Security Team


[1] https://www.drupal.org/project/node_view_permissions
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/node_view_permissions/releases/7.x-1.5
[4] https://www.drupal.org/project/node_view_permissions/releases/8.x-1.1
[5] https://www.drupal.org/u/heikki
[6] https://www.drupal.org/u/david_rothstein

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news