CVE-2022-25270 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=9.3.0 <9.3.6 || >=8.0.0 <9.2.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00215 pctl0.44024

Details

Incorrect authorization in Drupal core The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Metadata

Created: 2022-02-18T00:00:36Z
Modified: 2022-03-01T22:04:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-73q4-j324-2qcc/GHSA-73q4-j324-2qcc.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-73q4-j324-2qcc
Finding: F006
Auto approve: 1