Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071

Project: Decoupled Router
Version: 8.x-1.18.x-1.0
Date: 2018-October-31
Security risk: *Critical* 15∕25
Vulnerability: Access bypass

Description

This module enables you to resolve the provided Drupal path in order to find
the canonical path and information about the resolved entity. This
information includes entity type ID, entity ID, entity UUID and entity label.

The module doesn't sufficiently check access before displaying entity labels.
This leads to the display of labels on entities that are not be accessible,
for example; titles of unpublished content.

Solution

Install the latest version:

* If you use the Decoupled Router module for Drupal 8.x, upgrade to
Decoupled Router 8.x-1.2

Also see the Decoupled Router project page.

Add new comment