Executive Summary

This vulnerability exists in the Drupal 7 Internationalization (i18n) module, specifically in the i18n_node submodule. It allows a user who has both the "Translate content" and "Administer content translations" permissions to bypass intended access controls. Through the translation user interface and its autocomplete widget, such a user can view and attach unpublished nodes, which normally should not be accessible. This results in the disclosure of unpublished node titles and IDs.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that unauthorized users with certain permissions can access unpublished content that should remain hidden. This can lead to unintended disclosure of sensitive or confidential information contained in unpublished node titles and IDs. Such exposure could compromise content privacy and potentially reveal internal or draft information prematurely.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows users with specific permissions to bypass access controls and view unpublished content titles and IDs. Such unauthorized disclosure of unpublished data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to sensitive or confidential information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if users with both "Translate content" and "Administer content translations" permissions are able to view or attach unpublished nodes via the translation UI or its autocomplete widget.

One way to test this is to create a user role with these permissions but without "bypass node access", then attempt to access unpublished nodes through the translation interface or autocomplete search. If unpublished node titles and IDs are returned, the system is vulnerable.

Since the autocomplete feature returns unpublished content data in JSON responses, monitoring HTTP requests to the translation autocomplete endpoint and inspecting the responses for unpublished node information can help detect exploitation attempts.

Specific commands are not provided in the resources, but you can use tools like curl or browser developer tools to send requests to the translation autocomplete endpoint and analyze the JSON responses for unpublished content exposure.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps before applying the official patch include:

• Remove the "Administer content translations" permission from all user roles until the fix is applied.
• Disable the autocomplete function in the translation UI by using a hook or implementing a custom callback to intercept autocomplete requests.
• Implement custom node access checks using hook_menu_alter() to enforce proper access control.

Additionally, restrict the "Administer content translations" permission to only trusted roles to prevent unauthorized information disclosure.

The vulnerability is fixed in the patched version 7.1.36 of the i18n module, so applying this update as soon as possible is recommended.

Useful 0 Not Useful 0