Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035

Project:

Content Entity Clone

Date:

2024-September-04

Security risk:

Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability:

Information Disclosure

Affected versions:

<1.0.4

CVE IDs:

CVE-2024-13271

Description:

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.

The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.

This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.

Solution:

Install the latest version:

If you use the content_entity_clone module prior to version 1.0.4, upgrade to content_entity_clone 1.0.4

Reported By:

Vojislav Jovanovic

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Contribution record

Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community