CVE-2020-13674

6.5MEDIUM

Key Information

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 11 February 2022

Summary

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Affected Version(s)

Core < 9.2.6

Core < 9.1.13

Core < 8.9.19

Refferences

https://www.drupal.org/sa-core-2021-007

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
May 28, 2020

Collectors

NVD DatabaseMitre Database