Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13667Description:
The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.
The Workspaces module doesn’t sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.
This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.