CVE-2022-25270
Incorrect authorization in Drupal core
6.5
MEDIUM
CVSS 3.1
EPSS 0.25%
Description
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
How to fix CVE-2022-25270
To remediate CVE-2022-25270, upgrade the affected package to a fixed version below.
- —upgrade to 9.2.13 or later
- —upgrade to 9.2.13 or later
- —upgrade to 9.3.6 or later
Is CVE-2022-25270 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.6
- >= 8.0.0, < 9.2.13 | >= 9.3.0, < 9.3.6
- >= 9.3.0, < 9.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |