6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
CVE: CVE-2012-1635
This module enables you to create moderation publication workflows, allowing authors to create content that isn’t visible to the public until it has been approved by a moderator/publisher.
The module’s implementation of hook_node_access() assumes that access is to granted/denied based on the logged-in user’s permissions. However, the hook may be invoked in contexts whereby the access grants are to be returned for a particular account passed into the hook. This could result in an access bypass vulnerability if node_access() is called for a specific user account.
This vulnerability happens when using the XML sitemap module which as a result will disclose the URLs of un-accessible or unpublished content to anonymous users. The actual content itself is not disclosed.
Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.
Install the latest version:
See also the Revisioning project page.