[IT-SecNots] [Security-news] Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-065

Project: Quick Node Block [1]
Date: 2025-May-21
Security risk: *Moderately critical* 13 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <2.0.0
CVE IDs: CVE-2025-48013
Description: 
This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block.
Allowing access to node content for users that would normally not be allowed
to access the node.

Solution: 
Update to the latest version.

 * If you use the Quick Node Block module, update to Quick Node Block 2.0.1
   [3]

Reported By: 
 * Mitch Portier (arkener) [4]

Fixed By: 
 * Mitch Portier (arkener) [5]
 * Antonio Sánchez (saesa) [6]

Coordinated By: 
 * Greg Knaddison (greggles) [7] of the Drupal Security Team
 * Ivo  Van Geertruyen (mr.baileys) [8] of the Drupal Security Team
 * Juraj Nemec (poker10) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/quick_node_block
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_block/releases/2.0.1
[4] https://www.drupal.org/u/arkener
[5] https://www.drupal.org/u/arkener
[6] https://www.drupal.org/u/saesa
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mrbaileys
[9] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news