Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field). The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors. This vulnerability is mitigated by the facts that - a site builder must have used the component that displays “related” entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code. - a source entity displayed this way must reference access-restricted content.