[Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
security-news at drupal.org
security-news at drupal.org
Wed May 4 17:19:41 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-038
Project: Quick Node Clone [1]
Date: 2022-May-04
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:All [2]
Vulnerability: Access bypass
Description:
The module adds a "Clone" tab to a node. When clicked, a new node is created
and fields from the previous node are populated into the new fields. This
module supports paragraphs, groups, and other referenced entities.
The module has a vulnerability which allows attackers to bypass the
protection to clone any group content with an access check. Users are allowed
to copy other group's nodes, and if they do that, the node gets added to
groups they don't have access to.
Solution:
Install the latest version:
* If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick
Node Clone 8.x-1.15 [3]
Reported By:
* Benjamin Rasmussen [4]
Fixed By:
* Benjamin Rasmussen [5]
* Neslee Canil Pinto [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Damien McKenna [8] of the Drupal Security Team
[1] https://www.drupal.org/project/quick_node_clone
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_clone/releases/8.x-1.15
[4] https://www.drupal.org/user/3191699
[5] https://www.drupal.org/user/3191699
[6] https://www.drupal.org/user/3580850
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
More information about the Security-news
mailing list