Project: Node View PermissionsVersion: 8.x-1.x-dev7.x-1.x-devDate: 2018-January-10Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription:
The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.
This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.
This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.
Install the latest version:
- If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.5 or higher.
- If you use the Node View Permissions module for Drupal 8.x, upgrade to Node View Permissions 8.x-1.1 or higher.
- The module maintainer
- David Rothstein Of the Drupal Security Team