Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Project: Quick Node Clone
Date: 2022-May-04
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.

Solution

Install the latest version:

If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick Node Clone 8.x-1.15

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.