Drupal 7 Internationalization Module Unpublished Node Access Vulnerability

A broken access control vulnerability has been identified in the Internationalization (i18n) module for Drupal 7, specifically within the i18n_node submodule, affecting versions 7.1.0 prior to 7.1.35. This vulnerability allows users with 'Translate content' and 'Administer content translations' permissions to access and attach unpublished nodes through the translation user interface and its autocomplete feature. This exploitation bypasses normal access controls, revealing unpublished node titles and IDs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to unpublished content, allowing users to view and attach such content as translations, thereby bypassing intended access restrictions.

Reproduction

To reproduce this vulnerability, create a Drupal 7 installation and install a vulnerable version of the i18n module, such as 7.1.35. After enabling the i18n and i18n_node modules, add a second language and make the 'Article' content type translatable. Create two unpublished articles in different languages, noting their node IDs. Then, create a user role with the necessary translation permissions and log in as a user with that role. The unpublished nodes can be accessed through the translation tab, and their titles and IDs can be retrieved via the translation autocomplete feature.

Remediation

Users can update to the latest version of the i18n module or remove the 'Administer content translations' permission until the update is applied. HeroDevs customers can access a patched version of the module.