CVE-2020-13667

CWE-276 — Incorrect Default Permissions6 documents5 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 65.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core Drupal Drupal Drupal Core

Timeline

PublishedMay 17

Latest updateMay 24

Description

Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Packagistdrupal/core8.8.0 — 8.8.10+3

▶CVEListV5drupal/drupal_core8.8.X — 8.8.10+2

▶NVDdrupal/drupal8.8.0 — 8.8.10+2

▶Packagistdrupal/drupal8.8.0 — 8.8.10+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Drupal Core Access bypass vulnerability↗2022-05-24

▶

GHSA

Drupal Core Access bypass vulnerability↗2022-05-24

▶

CVEList

CVE-2020-13667: Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions↗2021-05-17

▶

OSV

CVE-2020-13667: The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published t↗2020-09-16

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008↗2020-09-16

▶