Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check
🔗 CVE IDs covered (1)
📋 Description
Summary
The EntriesController::actionMoveToSection() endpoint checks only whether the current user can view the destination section, but it does not require permission to save entries into that section. A low-privileged authenticated control-panel user who can move an entry out of its current section can therefore move that entry into a different section where they have read access but no write access.
Details
The vulnerable route is implemented in EntriesController.php:465:
The destination check is only viewEntries:$section->uid . The source-entry gate is Entry::canMove(), which verifies whether the user can move the existing entry based on the source section:
This closes the exploit chain:
- External source: authenticated CP request to
entries/move-to-section. - Missing authorization check: destination section requires only
viewEntries, notsaveEntries. - Privileged sink:
moveEntryToSection()rewritessectionIdand saves the entry into the unauthorized section.
Preconditions derived from the code:
- The attacker is authenticated to the control panel.
- Entry
345is movable by the attacker from its current section. - The attacker can satisfy
viewEntrieson destination section12. - The attacker does not have
saveEntries:DESTINATION_UID, which is the missing check that makes the bypass possible.
Result:
- The controller accepts the request because
viewEntries:$section->uidpasses. - Each source entry passes
canMove()based on source-section permissions. moveEntryToSection()updates the entry’ssectionIdand saves it.- The entry is now located in a section where the attacker did not have write permission.
Impact
This breaks the intended section-level authorization model. A user with limited content permissions can inject or relocate content into a protected section, interfering with editorial boundaries, approval workflows, section-specific business logic, and content ownership expectations.
🎯 Affected products1
- composer/craftcms/cms:>= 5.0.0-RC1, < 5.9.21