[IT-SecNots] [Security-news] Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-012

Project: Private content [1]
Date: 2024-February-28
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <2.1.0
Description: 
This module gives each node a 'private' checkbox. If it's set, the node can
only be seen by the node author, or users with the 'access private content'
permission.

The module incorrectly grants access to private nodes under certain specific
circumstances. This vulnerability is mitigated by the fact that an attacker
must have a role with the permission "Access private content".

Solution: 
Install the latest version:

  * If you use the Private Content module for Drupal 8.x, upgrade to Private
    Content 8.x-2.1 [3]

Reported By: 
  * kiwimind [4]

Fixed By: 
  * Adam Shepherd [5]

Coordinated By: 
  * Greg Knaddison [6] of the Drupal Security Team
  * Juraj Nemec [7] of the Drupal Security Team


[1] https://www.drupal.org/project/private_content
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_content/releases/8.x-2.1
[4] https://www.drupal.org/user/749470
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news