DRUPAL-CONTRIB-2022-054

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/next/DRUPAL-CONTRIB-2022-054.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-054

Published

2022-09-07T16:57:28Z

Modified

2025-12-10T23:32:40.547587Z

Summary

[none]

Details

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.

References

https://www.drupal.org/sa-contrib-2022-054

Credits

- Lauri Eskola
- - https://www.drupal.org/user/1078742

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/next

Package

Name: drupal/next
Purl: pkg:composer/drupal/next

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.3.0

Database specific

{
    "constraint": "<1.3.0"
}

Database specific

affected_versions

"<1.3.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/next/DRUPAL-CONTRIB-2022-054.json"