{"id":"DRUPAL-CORE-2020-008","details":"The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.\n\nThe Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.\n\nThis vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.","aliases":["BIT-drupal-2020-13667","CVE-2020-13667","GHSA-x2q9-r8gm-f657"],"modified":"2025-12-10T23:41:07.067103Z","published":"2020-09-16T16:32:12Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-core-2020-008"}],"affected":[{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.0.0"},{"fixed":"8.8.10"}],"database_specific":{"constraint":"\u003e= 8.0.0 \u003c8.8.10"}},{"type":"ECOSYSTEM","events":[{"introduced":"8.9.0"},{"fixed":"8.9.6"}],"database_specific":{"constraint":"\u003e= 8.9.0 \u003c8.9.6"}},{"type":"ECOSYSTEM","events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}],"database_specific":{"constraint":"\u003e=9.0.0 \u003c9.0.6"}}],"versions":["8.0.0","8.0.1","8.0.2","8.0.3","8.0.4","8.0.5","8.0.6","8.1.0","8.1.0-beta1","8.1.0-beta2","8.1.0-rc1","8.1.1","8.1.10","8.1.2","8.1.3","8.1.4","8.1.5","8.1.6","8.1.7","8.1.8","8.1.9","8.2.0","8.2.0-beta1","8.2.0-beta2","8.2.0-beta3","8.2.0-rc1","8.2.0-rc2","8.2.1","8.2.2","8.2.3","8.2.4","8.2.5","8.2.6","8.2.7","8.2.8","8.3.0","8.3.0-alpha1","8.3.0-beta1","8.3.0-rc1","8.3.0-rc2","8.3.1","8.3.2","8.3.3","8.3.4","8.3.5","8.3.6","8.3.7","8.3.8","8.3.9","8.4.0","8.4.0-alpha1","8.4.0-beta1","8.4.0-rc1","8.4.0-rc2","8.4.1","8.4.2","8.4.3","8.4.4","8.4.5","8.4.6","8.4.7","8.4.8","8.5.0","8.5.0-alpha1","8.5.0-beta1","8.5.0-rc1","8.5.1","8.5.10","8.5.11","8.5.12","8.5.13","8.5.14","8.5.15","8.5.2","8.5.3","8.5.4","8.5.5","8.5.6","8.5.7","8.5.8","8.5.9","8.6.0","8.6.0-alpha1","8.6.0-beta1","8.6.0-beta2","8.6.0-rc1","8.6.1","8.6.10","8.6.11","8.6.12","8.6.13","8.6.14","8.6.15","8.6.16","8.6.17","8.6.18","8.6.2","8.6.3","8.6.4","8.6.5","8.6.6","8.6.7","8.6.8","8.6.9","8.7.0","8.7.0-alpha1","8.7.0-alpha2","8.7.0-beta1","8.7.0-beta2","8.7.0-rc1","8.7.1","8.7.10","8.7.11","8.7.12","8.7.13","8.7.14","8.7.2","8.7.3","8.7.4","8.7.5","8.7.6","8.7.7","8.7.8","8.7.9","8.8.0","8.8.0-alpha1","8.8.0-beta1","8.8.0-rc1","8.8.1","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9","8.9.0","8.9.1","8.9.2","8.9.3","8.9.4","8.9.5","9.0.0","9.0.1","9.0.2","9.0.3","9.0.4","9.0.5"],"database_specific":{"affected_versions":"\u003e= 8.0.0 \u003c8.8.10 || \u003e= 8.9.0 \u003c8.9.6 || \u003e=9.0.0 \u003c9.0.6","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2020-008.json"}}],"schema_version":"1.7.3","credits":[{"name":"Andrei Mateescu","contact":["https://www.drupal.org/user/729614"]}]}