Impact
Craft CMS contains a mass‑assignment flaw in the bulk‑duplicate element action. When an attacker duplicates their own entries, they can submit an arbitrary numeric id in the newAttributes request parameter. The duplication routine resets its internal id to null, but the supplied id is re‑applied during configuration, causing the underlying save operation to perform an UPDATE against the target entry row instead of an INSERT. As a result, the attacker's title, slug, authorId, postDate, and UID overwrite the victim's entry data. This vulnerability is a classic example of CWE‑915, where improper handling of input leads to unintended writes.
Affected Systems
Craft CMS versions 5.7.0 up to but not including 5.9.21 are affected. The vulnerability is fixed starting with version 5.9.21.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity. The EPSS score is <1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, implying no known active exploitation at this time. The likely attack vector requires an authenticated user who can perform bulk‑duplicate operations on their own entries; the flaw allows that user to overwrite arbitrary existing entries by supplying a target id.
OpenCVE Enrichment
Github GHSA