Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
  • Date: Wed, 4 May 2022 17:19:41 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2022-038

Project: Quick Node Clone [1]
Date: 2022-May-04
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:All [2]
Vulnerability: Access bypass

Description: 
The module adds a "Clone" tab to a node. When clicked, a new node is created
and fields from the previous node are populated into the new fields. This
module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the
protection to clone any group content with an access check. Users are allowed
to copy other group's nodes, and if they do that, the node gets added to
groups they don't have access to.

Solution: 
Install the latest version:

* If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick
Node Clone 8.x-1.15 [3]

Reported By: 
* Benjamin Rasmussen [4]

Fixed By: 
* Benjamin Rasmussen [5]
* Neslee Canil Pinto [6]

Coordinated By: 
* Greg Knaddison [7] of the Drupal Security Team
* Damien McKenna [8] of the Drupal Security Team


[1] https://www.drupal.org/project/quick_node_clone
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_clone/releases/8.x-1.15
[4] https://www.drupal.org/user/3191699
[5] https://www.drupal.org/user/3191699
[6] https://www.drupal.org/user/3580850
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038, security-news, 04.05.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang