Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2018-October-31
Vulnerability:
Access bypass
Affected versions:
<1.2.0
Description:
This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.
The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.
Solution:
Install the latest version:
- If you use the Decoupled Router module for Drupal 8.x, upgrade to Decoupled Router 8.x-1.2
Also see the Decoupled Router project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
