Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-October-02
Vulnerability:
Access bypass, Information Disclosure
Affected versions:
<1.8.0 || >=2.0.0 <2.0.0-beta3
CVE IDs:
CVE-2024-13278
Description:
This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.
The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.
Solution:
Install the latest version:
- If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
