Description
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Remediation
References
Related Vulnerabilities
WordPress Plugin Booking Calendar Cross-Site Scripting (7.1)
WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease Cross-Site Scripting (4.3.9)
WordPress Plugin Duplicate Page and Post SQL Injection (2.5.6)
Jenkins Origin Validation Error Vulnerability (CVE-2024-23898)
Dotclear Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1584)