========================== ========================== =================== CERT-Renater Note d'Information No. 2013/VULN373 _____________________________________________________________________ DATE : 30/08/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Node View Permissions for DRUPAL versions 7.x-1.0. ========================== ========================== ==================== https://drupal.org/node/2076315 ______________________________________________________________________ SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass Posted by Drupal Security Team on August 28, 2013 at 6:57pm Advisory ID: DRUPAL-SA-CONTRIB-2013-072 Project: Node View Permissions (third-party module) Version: 7.x Date: 2013-August-28 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Access bypass Description The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Node View Permissions 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node View Permissions module, there is nothing you need to do. Solution Install the latest version: If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2 Also see the Node View Permissions project page. Reported by Mark Theunissen Fixed by hoter the module maintainer Coordinated by Michael Hess of the Drupal Security Team Mark Ferree provisional member of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 7.x ========================== ========================== ==================== ========================== ========================== ======= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================== ========================== ======== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ========================== ========================== ========