DRUPAL-CONTRIB-2022-038

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/quick_node_clone/DRUPAL-CONTRIB-2022-038.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-038
Published
2022-05-04T16:26:47Z
Modified
2025-12-10T23:33:49.722670Z
Summary
[none]
Details

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/quick_node_clone

Package

Name
drupal/quick_node_clone
Purl
pkg:composer/drupal/quick_node_clone

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.15.0
Database specific
{
    "constraint": "<1.15.0"
}

Database specific

affected_versions
"<1.15.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/quick_node_clone/DRUPAL-CONTRIB-2022-038.json"