CVE-2022-25270
published 2022-02-17CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.76%
50.5th percentile
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 9.2.13 | 9.2.13 |
| drupal | core | >= 9.2.x < 9.2.13 | 9.2.13 |
| drupal | core | >= 9.3.0 < 9.3.6 | 9.3.6 |
| drupal | core | >= 9.3.x < 9.3.6 | 9.3.6 |
| drupal | drupal | >= 9.2.0 < 9.2.13 | 9.2.13 |
| drupal | drupal | >= 9.3.0 < 9.3.6 | 9.3.6 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect authorization in Drupal core
osv·2022-02-18
CVE-2022-25270 [MEDIUM] Incorrect authorization in Drupal core
Incorrect authorization in Drupal core
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
GHSA
Incorrect authorization in Drupal core
ghsa·2022-02-18
CVE-2022-25270 [MEDIUM] CWE-863 Incorrect authorization in Drupal core
Incorrect authorization in Drupal core
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
OSV
CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances
osv·2022-02-16
CVE-2022-25270 CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Also see [Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025](https://www.drupal.org/sa-contrib-2022-025) which addresses the same vulnerability for the contributed module.
This advisory is not covered by [Drupal Steward](/steward).
Drupal
Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
vendor_drupal·2022-02-16
CVE-2022-25270 [MEDIUM] Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
Title: Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
Vulnerability Type: Information disclosure
Description: The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Also see Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module. This advisory is not covered by Drupal Steward .
Solution: Install the latest version: If you are using Drupal 9.3, update to Drupal 9.3.6 . If you are using Drupal 9.2, update to Dr
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-17
Published