Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-13674

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Published

2022-02-11T16:15:08.307

Last Modified

2024-11-21T05:01:44.333

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-352
Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	< 8.9.19	Yes
Application	drupal	drupal	< 9.1.13	Yes
Application	drupal	drupal	< 9.2.6	Yes

References

https://www.drupal.org/sa-core-2021-007 Patch, Vendor Advisory ([email protected])
https://www.drupal.org/sa-core-2021-007 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)