Access Bypass in Drupal's Revision System for Node and Media Content
CVE-2022-25274

5.4MEDIUM

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

What is CVE-2022-25274?

Drupal 9.3 introduced a generic entity access API for managing entity revisions. However, the API was not fully integrated with the existing permission system, leading to potential access bypass for users who can interact with content revisions without possessing the requisite permissions for specific items within node and media content. This issue primarily affects installations utilizing Drupal's revision system, thereby posing a risk to content security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Core 9.3 < 9.3.12

References

https://www.drupal.org/sa-core-2022-009

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022

JSON

Drupal