[Security-news] Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-060

Project: Single Content Sync [1]
Date: 2025-May-14
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <1.4.12
CVE IDs: CVE-2025-48009
Description: 
This module enables you to seamlessly migrate and deploy content across
environments, eliminating manual steps. It simplifies the process by
exporting content to a YML file or a ZIP archive, which can be imported into
another environment effortlessly.

While the export feature rightfully bypasses implemented access controls,
enabling it to extract all entity data, including private and confidential
information, to the mentioned formats, it fails to adequately safeguard the
generated output.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "export single content" or "Allow user to export all
content".

Solution: 
Install the latest version:

  * If you use the Single Content Sync module for Drupal, upgrade to Single
    Content Sync 1.4.12. [3]

Reported By: 
  * Dezső Biczó (mxr576) [4]

Fixed By: 
  * Dave Long (longwave) [5] of the Drupal Security Team
  * Dezső Biczó (mxr576) [6]
  * Oleksandr Kuzava (nginex) [7]

Coordinated By: 
  * Greg Knaddison (greggles) [8] of the Drupal Security Team
  * Juraj Nemec (poker10) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/single_content_sync
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/single_content_sync/releases/1.4.12
[4] https://www.drupal.org/u/mxr576
[5] https://www.drupal.org/u/longwave
[6] https://www.drupal.org/u/mxr576
[7] https://www.drupal.org/u/nginex
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10