CVE-2022-25270 — Incorrect Authorization in Drupal Core

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 51.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 17

Latest updateFeb 18

Description

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5drupal/core9.3.x — 9.3.6+1

▶Packagistdrupal/core9.3.0 — 9.3.6+1

▶NVDdrupal/drupal9.2.0 — 9.2.13+1

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Incorrect authorization in Drupal core↗2022-02-18

▶

GHSA

Incorrect authorization in Drupal core↗2022-02-18

▶

CVEList

CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances↗2022-02-16

▶

OSV

CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances↗2022-02-16

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004↗2022-02-16

▶