Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Project: Node View PermissionsVersion: 8.x-1.x-dev7.x-1.x-devDate: 2018-January-10Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Solution: 

Install the latest version:

Reported By: 

Fixed By: 

  • The module maintainer

Coordinated By: