it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
- Date: Wed, 4 May 2022 17:19:41 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-038
Project: Quick Node Clone [1]
Date: 2022-May-04
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:All [2]
Vulnerability: Access bypass
Description:
The module adds a "Clone" tab to a node. When clicked, a new node is created
and fields from the previous node are populated into the new fields. This
module supports paragraphs, groups, and other referenced entities.
The module has a vulnerability which allows attackers to bypass the
protection to clone any group content with an access check. Users are allowed
to copy other group's nodes, and if they do that, the node gets added to
groups they don't have access to.
Solution:
Install the latest version:
* If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick
Node Clone 8.x-1.15 [3]
Reported By:
* Benjamin Rasmussen [4]
Fixed By:
* Benjamin Rasmussen [5]
* Neslee Canil Pinto [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Damien McKenna [8] of the Drupal Security Team
[1] https://www.drupal.org/project/quick_node_clone
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_clone/releases/8.x-1.15
[4] https://www.drupal.org/user/3191699
[5] https://www.drupal.org/user/3191699
[6] https://www.drupal.org/user/3580850
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038, security-news, 04.05.2022
Archiv bereitgestellt durch MHonArc 2.6.24.