Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Project: Quick Node Clone
Date: 2022-May-04
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.

Solution

Install the latest version:

If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick Node Clone 8.x-1.15