EIQ-2018-0013#
ID |
EIQ-2018-0013 (Former ref.: 19225) |
|---|---|
CVE |
- |
Description |
Publish draft entity without modify draft-entities permission |
Date |
- |
Severity |
1 - LOW |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
✅ 2.4.0 |
Assessment |
A user with the modify entities permission and without the modify draft-entities permission can promote an entity from draft to publication. |
Mitigation |
To prevent users from publishing draft entities, ensure they lack both the modify entities and the modify draft-entities permissions. |
Affected versions |
2.1.2 to 2.3.4 included. |
Notes |
Currently modify entities acts like a superset of modify draft-entities. modify entities should affect only entities in the published state, and it should not impact entities in draft state. |