DRUPAL-CONTRIB-2024-042

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/diff/DRUPAL-CONTRIB-2024-042.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-042

Aliases

CVE-2024-13278

Published

2024-10-02T16:15:59Z

Modified

2025-12-10T23:41:33.736343Z

Summary

[none]

Details

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.

References

https://www.drupal.org/sa-contrib-2024-042

Credits

- Matthias Vogel
- - https://www.drupal.org/user/3319139

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/diff

Package

Name: drupal/diff
Purl: pkg:composer/drupal/diff

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.8.0

Database specific

{
    "constraint": "<1.8.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0-beta1

Fixed

2.0.0-beta3

Database specific

{
    "constraint": ">=2.0.0-beta1 <2.0.0-beta3"
}

Database specific

affected_versions

"<1.8.0 || >=2.0.0-beta1 <2.0.0-beta3"

patched

true

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/diff/DRUPAL-CONTRIB-2024-042.json"