DRUPAL-CONTRIB-2025-060

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/single_content_sync/DRUPAL-CONTRIB-2025-060.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-060

Aliases

CVE-2025-48009

Published

2025-05-14T18:05:04Z

Modified

2025-12-10T23:41:24.856251Z

Summary

[none]

Details

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly.

While the export feature rightfully bypasses implemented access controls, enabling it to extract all entity data, including private and confidential information, to the mentioned formats, it fails to adequately safeguard the generated output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "export single content" or "Allow user to export all content".

References

https://www.drupal.org/sa-contrib-2025-060

Credits

- Dezső Biczó (mxr576)
- - https://www.drupal.org/u/mxr576

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/single_content_sync

Package

Name: drupal/single_content_sync
Purl: pkg:composer/drupal/single_content_sync

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.4.12

Database specific

{
    "constraint": "<1.4.12"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/single_content_sync/DRUPAL-CONTRIB-2025-060.json"

affected_versions

"<1.4.12"