Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Project: Node View Permissions
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
Vulnerability: Access Bypass

Description

The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.

Solution

Install the latest version:

* If you use the Node View Permissions module for Drupal 7.x, upgrade to
Node View Permissions 7.x-1.5 or higher.
* If you use the Node View Permissions module for Drupal 8.x, upgrade to
Node View Permissions 8.x-1.1 or higher.

Add new comment