DRUPAL-CONTRIB-2024-035

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/content_entity_clone/DRUPAL-CONTRIB-2024-035.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-035

Aliases

CVE-2024-13271

Published

2024-09-04T15:40:44Z

Modified

2025-12-10T23:41:25.715398Z

Summary

[none]

Details

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.

The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.

This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.

References

https://www.drupal.org/sa-contrib-2024-035

Credits

- Vojislav Jovanovic
- - https://www.drupal.org/user/92189

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/content_entity_clone

Package

Name: drupal/content_entity_clone
Purl: pkg:composer/drupal/content_entity_clone

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.4

Database specific

{
    "constraint": "<1.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/content_entity_clone/DRUPAL-CONTRIB-2024-035.json"

affected_versions

"<1.0.4"