Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

Project: Renderkit
Date: 2018-September-19
Security risk: *Moderately critical* 11∕25
Vulnerability: Access bypass

Description

This module, typically in combination with cfr:cfrplugin, allows to compose
behaviors from granular components. One of such behaviors is to display a
list of related entities, for a given source entity and a given entity
relation (e.g. an entity reference field).

The components that display related content do not check if the user has
access to view the related entities. This way e.g. unpublished nodes may be
displayed to anonymous visitors.

This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related"
entities for a source entity, using cfr:cfrplugin, OR a programmer has used
one of the affected components in code.
- a source entity displayed this way must reference access-restricted
content.

Solution

 
Install the latest version:

* If you use the Renderkit module for Drupal 7.x, upgrade to Renderkit 7.x-1.6

Add new comment