Fluid Attacks Database

Description

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/diff	>=0 <1.8.0 \|\| >=2.0.0-beta1 <2.0.0-beta3	1.8.0, 2.0.0-beta3

Aliases

1. CVE-2024-132782. NVD-2024-132783. OSV-DRUPAL-CONTRIB-2024-0424. OSV-2024-132785. GCVE-2024-132786. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.