Craft CMS Permission Bypass Vulnerability in Duplicate Entry Action

A vulnerability exists in Craft CMS versions 4.0.0-RC1 prior to 4.17.0-beta.1 and 5.0.0-RC1 prior to 5.9.0-beta.1. The issue arises in the 'Duplicate' entry action, which fails to properly validate whether a user has the necessary permissions to duplicate specific entries. Users with only 'View Entries' permission can bypass the UI restrictions and duplicate entries, including those of other users, by sending direct requests with the target Entry IDs. This exploitation is feasible because Entry IDs are sequential, allowing for easy brute-forcing to access restricted content.

Impact

Exploitation of this vulnerability could lead to unauthorized duplication of entries, allowing users to access and potentially misuse restricted content.

Reproduction

To reproduce this vulnerability, log in as a user with 'View Entries' permission. Identify a target Entry ID by brute-forcing through the incremental IDs. Then, send a POST request to the 'perform-action' endpoint, including the 'Duplicate' action and the selected Entry ID. This will create a duplicate entry under the attacker's ownership, granting access to the content.

Remediation

Users can update to Craft CMS versions 5.9.0-beta.1 or 4.17.0-beta.1, where this vulnerability has been fixed.