CVE-2020-13676 — Incorrect Authorization in Drupal core

Description

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

How to fix CVE-2020-13676

To remediate CVE-2020-13676, upgrade the affected package to a fixed version below.

Bitnami/drupal—upgrade to 8.9.19 or later
—upgrade to 8.9.19 or later
—upgrade to 8.9.19 or later

Is CVE-2020-13676 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
>= 8.0.0, < 8.9.19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13676
PATCHgithub.com/drupal/core
WEBgithub.com/drupal/core/commit/8e8e3d2ddd72471ba886346ecabfb5d98fd27d9b
WEBwww.drupal.org/sa-core-2021-009