CVE-2020-13674

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-13674

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13674.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-13674

Aliases

Published

2022-02-11T16:15:08Z

Modified

2024-09-03T03:13:13.728518Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

References

https://www.drupal.org/sa-core-2021-007

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

a412ca41cfc0d954fe3cb2dd982dc6ca049b1c70

Fixed

ff4f28f15d717b1ba39867f1550a248d1a915928

Affected versions

8.*

8.9.0

8.9.1

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.8

8.9.9