EIQ-2018-0013



ID

EIQ-2018-0013

(Former ref.: 19225)

CVE

-

Description

Publish draft entity without modify draft-entities permission

Date

-

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0

Assessment

A user with the modify entities permission and without the modify draft-entities permission can promote an entity from draft to publication.

Mitigation

To prevent users from publishing draft entities, ensure they lack both the modify entities and the modify draft-entities permissions.

Affected versions

2.1.2 to 2.3.4 included.

Notes

Currently modify entities acts like a superset of modify draft-entities.

modify entities should affect only entities in the published state, and it should not impact entities in draft state.

< Back to all security issues and mitigation actions