Lucene search

DrupalCVE-2020-13674

HistoryFeb 11, 2022 - 4:15 p.m.

CVE-2020-13674

2022-02-1116:15:08

CWE-352

drupal

web.nvd.nist.gov

cve-2020-13674

quickedit module

access validation

csrf

data integrity

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

21.6%

JSON

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the “access in-place editing” permission from untrusted users will not fully mitigate the vulnerability.

Affected configurations

Nvd

Node

drupaldrupalRange8.9.0–8.9.19

drupaldrupalRange9.1.0–9.1.13

drupaldrupalRange9.2.0–9.2.6

VendorProductVersionCPE
drupaldrupal*cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
drupal	drupal	*	cpe:2.3:a:drupal:drupal::::::::

CNA Affected

[
  {
    "product": "Core",
    "vendor": "Drupal",
    "versions": [
      {
        "lessThan": "9.2.6",
        "status": "affected",
        "version": "9.2",
        "versionType": "custom"
      },
      {
        "lessThan": "9.1.13",
        "status": "affected",
        "version": "9.1",
        "versionType": "custom"
      },
      {
        "lessThan": "8.9.19",
        "status": "affected",
        "version": "8.9",
        "versionType": "custom"
      }
    ]
  }
]