Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067
  • Date: Wed, 17 Oct 2018 22:54:45 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-067

Project: Workbench Moderation [1]
Date: 2018-October-17
Security risk: *Moderately critical* 11∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
The Workbench Moderation module adds arbitrary moderation states to Drupal
core's "unpublished" and "published" node states, and affects the behavior of
node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006 [3].

Solution: 
Install the latest version:

* If you use the Workbench Moderation module for Drupal 8.x, upgrade to
Workbench Moderation 8.x-1.4 [4]

Also see the Drupal core [5] project page.

Reported By: 
* Roland Kovacsics [6]

Fixed By: 
* Wim Leers [7]
* Daniel Wehner [8]
* Sam Becker [9]
* Tim Millwood [10]
* Alex Pott [11] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team


[1] https://www.drupal.org/project/workbench_moderation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/project/workbench_moderation/releases/8.x-1.4
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/user/3528385
[7] https://www.drupal.org/user/99777
[8] https://www.drupal.org/user/99340
[9] https://www.drupal.org/user/1485048
[10] https://www.drupal.org/user/227849
[11] https://www.drupal.org/user/157725
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/larowlan

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067, security-news, 18.10.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang