CVE-2020-13667
published 2021-05-17CVE-2020-13667: Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.93%
56.1th percentile
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | core | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 8.8.X < 8.8.10 | 8.8.10 |
| drupal | drupal_core | >= 8.9.X < 8.9.6 | 8.9.6 |
| drupal | drupal_core | >= 9.0.X < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Access bypass vulnerability
osv·2022-05-24
CVE-2020-13667 [MEDIUM] Drupal Core Access bypass vulnerability
Drupal Core Access bypass vulnerability
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
GHSA
Drupal Core Access bypass vulnerability
ghsa·2022-05-24
CVE-2020-13667 [MEDIUM] CWE-276 Drupal Core Access bypass vulnerability
Drupal Core Access bypass vulnerability
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
OSV
CVE-2020-13667: The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published t
osv·2020-09-16
CVE-2020-13667 CVE-2020-13667: The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published t
The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.
The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.
This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.
Drupal
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
vendor_drupal·2020-09-16
CVE-2020-13667 [MEDIUM] Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
Title: Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
Vulnerability Type: Access bypass
Description: The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . If you are using Drupal 8.9.x, upgra
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-17
Published