DRUPAL-CONTRIB-2023-047

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/content_moderation_notifications/DRUPAL-CONTRIB-2023-047.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-047

Published

2023-09-27T16:33:34Z

Modified

2025-12-10T23:31:27.130614Z

Summary

[none]

Details

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.

The module doesn't sufficiently check access to content when sending notifications.
This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.

References

https://www.drupal.org/sa-contrib-2023-047

Credits

- lucasantunes
- - https://www.drupal.org/user/3603448

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/content_moderation_notifications

Package

Name: drupal/content_moderation_notifications
Purl: pkg:composer/drupal/content_moderation_notifications

Affected ranges

Type

ECOSYSTEM

Events

Introduced

3.0.0

Fixed

3.6.0

Database specific

{
    "constraint": ">=3.0.0 <3.6.0"
}

Database specific

affected_versions

">=3.0.0 <3.6.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/content_moderation_notifications/DRUPAL-CONTRIB-2023-047.json"