Plattform
drupal
Komponente
drupal
Behoben in
9.3.6
9.2.13
9.2.13
9.2.13
CVE-2022-25270 describes an access bypass vulnerability within Drupal Core. This flaw allows users with the 'access in-place editing' permission to potentially view content they are not authorized to access. The vulnerability specifically affects Drupal Core versions 9.3.5 and earlier, and is only present on sites utilizing the Standard profile and the Quick Edit module.
The primary impact of CVE-2022-25270 is unauthorized access to sensitive content. While not a full-blown data breach, an attacker with the 'access in-place editing' permission could view content they shouldn't, potentially exposing confidential information or altering data without proper authorization. This could lead to data integrity issues, reputational damage, or compliance violations. The scope of the impact is limited to content accessible through the Quick Edit functionality and only affects sites using the Standard profile with the Quick Edit module enabled.
CVE-2022-25270 was publicly disclosed on February 18, 2022. No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low CVSS score suggests a lower probability of exploitation, but diligent patching is still recommended.
Sites utilizing the Drupal Standard profile with the Quick Edit module enabled are specifically at risk. Organizations relying on Drupal for content management and with strict access control requirements should prioritize patching. Shared hosting environments using Drupal Standard are also particularly vulnerable due to the pre-installed Quick Edit module.
• drupal: Check Drupal core version using drush --version. If ≤9.3.5, the system is potentially vulnerable.
• drupal: Verify Quick Edit module is enabled using drush en quickedit. Disable if not required.
• drupal: Review user roles and permissions to ensure only authorized users have 'access in-place editing'.
• generic web: Monitor Drupal logs (typically in /var/log/apache2/error.log or similar) for unusual access patterns or errors related to Quick Edit.
disclosure
Exploit-Status
EPSS
0.25% (49% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2022-25270 is to upgrade to Drupal Core 9.3.6 or later. If immediate upgrading is not possible, consider disabling the Quick Edit module. While not ideal, this will prevent the vulnerability from being exploited. Review user permissions to ensure only authorized personnel have the 'access in-place editing' permission. Regularly audit Drupal configurations and module installations to identify and address potential security risks. After upgrading, confirm the fix by attempting to access content without proper authorization through the Quick Edit interface.
Aktualisieren Sie Drupal Core auf Version 9.3.6 oder 9.2.13, oder eine spätere Version. Dies behebt die Schwachstelle im Quick Edit Modul.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-25270 is a medium severity vulnerability in Drupal Core versions 9.3.5 and earlier, allowing unauthorized viewing of content via the Quick Edit module.
You are affected if you are running Drupal Core 9.3.5 or earlier and have the Quick Edit module enabled within the Standard profile.
Upgrade Drupal Core to version 9.3.6 or later. As a temporary workaround, disable the Quick Edit module.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-25270.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/2022-core-9.3.6.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.