[IT-SecNots] [Security-news] Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-004

Project: Preview Link [1]
Date: 2019-January-23
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
The Preview Link module enables you to generate preview links so anonymous
users can access unpublished revisions of content.
The last release of the module introduced an access bypass allowing users to
present invalid tokens but still access unpublished content.

Solution: 
Install the latest version:

  * If you use the Preview Link module for Drupal 8.x, upgrade to Preview 
Link
    8.x-1.1 [3]

Also see the Preview Link [4] project page.

Reported By: 
  * Daniel   [5]

Fixed By: 
  * Daniel   [6]

Coordinated By: 
  * Lee Rowlands [7] of the Drupal Security Team


[1] https://www.drupal.org/project/preview_link
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/preview_link/releases/8.x-1.1
[4] https://www.drupal.org/project/preview_link
[5] https://www.drupal.org/user/81431
[6] https://www.drupal.org/user/81431
[7] https://www.drupal.org/user/larowlan

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news