CVE-2020-13676 — Improper Access Control in Drupal Core

CWE-284 — Improper Access Control CWE-863 — Incorrect Authorization7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 48.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5drupal/core9.2 — 9.2.6+2

▶Packagistdrupal/core8.0.0 — 8.9.19+2

▶NVDdrupal/drupal8.9.0 — 8.9.19+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Incorrect Authorization in Drupal core↗2022-02-12

▶

OSV

Incorrect Authorization in Drupal core↗2022-02-12

▶

OSV

CVE-2020-13676: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data↗2022-02-11

▶

CVEList

CVE-2020-13676: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data↗2022-02-11

▶

OSV

CVE-2020-13676: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data↗2021-09-15

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009↗2021-09-15

▶