Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Vulnerability

Overview

The Quick Node Block module for Drupal provides a block to easily display a rendered node. A missing authorization vulnerability exists in versions before 2.0.0 that allows forceful browsing to access node content without proper permission checks. The access to the rendered node is not validated before rendering the block, leading to an access bypass issue [1][2].

Exploitation

Details

An attacker can exploit this by simply requesting the block for a node that they normally would not have permission to view. No authentication or special privileges beyond normal site access are required. The module fails to perform an access check on the node before rendering it in the block, allowing any user who can see the block to view the content [2].

Impact

Successful exploitation allows an attacker to view node content that should be restricted to authorized users only. This can include private pages, sensitive content, or any node with access control restrictions. The severity is rated as moderately critical [2].

Mitigation

The vulnerability is fixed in Quick Node Block version 2.0.0. Users should update to this version or later to prevent the access bypass. No known workarounds are available; upgrading is the recommended action [1][2].