Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Project:

Workbench Moderation

Date:

2018-October-17

Security risk:

Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

Affected versions:

<1.4.0

Description:

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution:

Install the latest version:

If you use the Workbench Moderation module for Drupal 8.x, upgrade to Workbench Moderation 8.x-1.4

Also see the Drupal core project page.

Reported By:

Roland Kovacsics

Fixed By:

Wim Leers
Daniel Wehner
Sam Becker
Tim Millwood
Alex Pott of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Lee Rowlands of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community