Craft CMS Authorization Bypass Vulnerability in Entry Movement Functionality

An authorization bypass vulnerability has been identified in Craft CMS versions 5.3.0 prior to 5.9.14. This vulnerability allows authenticated control panel users with only accessCp permission to move entries between sections using the POST /actions/entries/move-to-section endpoint. The issue arises because the endpoint does not enforce the necessary authorization checks for the source or destination sections, or for the individual entries being moved. As a result, users can manipulate entries without the required permissions, potentially disrupting editorial workflows and content management processes.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in content management, allowing users to move entries across sections without proper authorization. This could disrupt editorial workflows and routing controls, creating confusion and mismanagement of content.

Reproduction

To reproduce this vulnerability, an authenticated control panel user with only accessCp permission can send a POST request to the /actions/entries/move-to-section endpoint. The request must include the sectionId and entryIds parameters. The absence of the required saveEntries permission for the source or destination section will not prevent the entry movement, bypassing the intended authorization controls.

Remediation

Users can update to Craft CMS version 5.9.14 or later, where this vulnerability has been patched.