3 matches found
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
Craft CMS is a content management system CMS. From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either...
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
Craft CMS is a content management system CMS. From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either...
Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
Summary An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either source or destination section. Details Root-cause analysis 1. actionMoveToSection...