fkie_cve-2022-25270
Vulnerability from fkie_nvd
Published
2022-02-17 00:15
Modified
2024-11-21 06:51
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
References
mlhess@drupal.orghttps://www.drupal.org/sa-core-2022-004Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.drupal.org/sa-core-2022-004Patch, Vendor Advisory
Impacted products
Vendor Product Version
drupal drupal *
drupal drupal *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "09CF71F1-F74A-4B1F-AD6D-B21B8A4B376A",
              "versionEndExcluding": "9.2.13",
              "versionStartIncluding": "9.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E73DD49-5B53-4196-9F8F-CB530E532C71",
              "versionEndExcluding": "9.3.6",
              "versionStartIncluding": "9.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the \"access in-place editing\" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo Quick Edit no comprueba correctamente el acceso a las entidades en algunas circunstancias. Esto podr\u00eda resultar en que usuarios con el permiso de \"access in-place editing\" visualicen algunos contenidos a los que no est\u00e1n autorizados a acceder. Los sitios s\u00f3lo est\u00e1n afectados si el m\u00f3dulo QuickEdit (que viene con el perfil est\u00e1ndar) est\u00e1 instalado"
    }
  ],
  "id": "CVE-2022-25270",
  "lastModified": "2024-11-21T06:51:55.260",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-02-17T00:15:07.710",
  "references": [
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2022-004"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2022-004"
    }
  ],
  "sourceIdentifier": "mlhess@drupal.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.