View online: https://www.drupal.org/sa-contrib-2025-060
Project: Single Content Sync [1] Date: 2025-May-14 Security risk: *Moderately critical* 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <1.4.12 CVE IDs: CVE-2025-48009 Description: This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly.
While the export feature rightfully bypasses implemented access controls, enabling it to extract all entity data, including private and confidential information, to the mentioned formats, it fails to adequately safeguard the generated output.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "export single content" or "Allow user to export all content".
Solution: Install the latest version:
* If you use the Single Content Sync module for Drupal, upgrade to Single Content Sync 1.4.12. [3]
Reported By: * Dezső Biczó (mxr576) [4]
Fixed By: * Dave Long (longwave) [5] of the Drupal Security Team * Dezső Biczó (mxr576) [6] * Oleksandr Kuzava (nginex) [7]
Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/single_content_sync [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/single_content_sync/releases/1.4.12 [4] https://www.drupal.org/u/mxr576 [5] https://www.drupal.org/u/longwave [6] https://www.drupal.org/u/mxr576 [7] https://www.drupal.org/u/nginex [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10