CVE-2020-13674 — Cross-Site Request Forgery in Drupal Core

CWE-352 — Cross-Site Request Forgery7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 65.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5drupal/core9.2 — 9.2.6+2

▶Packagistdrupal/core8.0.0 — 8.9.19+2

▶NVDdrupal/drupal8.9.0 — 8.9.19+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Cross-Site Request Forgery in Drupal core↗2022-02-12

▶

OSV

Cross-Site Request Forgery in Drupal core↗2022-02-12

▶

OSV

CVE-2020-13674: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to po↗2022-02-11

▶

CVEList

CVE-2020-13674: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to po↗2022-02-11

▶

OSV

CVE-2020-13674: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to po↗2021-09-15

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007↗2021-09-15

▶