Platform
drupal
Component
drupal
Fixed in
9.3.6
9.2.13
9.2.13
9.2.13
CVE-2022-25270 describes an access bypass vulnerability within Drupal Core. This flaw allows users with the 'access in-place editing' permission to potentially view content they are not authorized to access. The vulnerability specifically affects Drupal Core versions 9.3.5 and earlier, and is only present on sites utilizing the Standard profile and the Quick Edit module.
The core impact of CVE-2022-25270 lies in the potential for unauthorized data exposure. An attacker, possessing the 'access in-place editing' permission, could leverage this vulnerability to view sensitive content that they should not have access to. This could include confidential information, internal notes, or other data that is restricted based on user roles. While the vulnerability does not directly lead to data modification or system compromise, the exposure of sensitive information can have significant implications for data privacy and security. The blast radius is limited to content accessible through the Quick Edit interface, but the potential for unauthorized viewing remains a serious concern.
CVE-2022-25270 was publicly disclosed on February 18, 2022. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.25% (49% percentile)
CVSS Vector
The primary mitigation for CVE-2022-25270 is to upgrade Drupal Core to version 9.3.6 or later. This version includes the necessary fix to properly check entity access within the Quick Edit module. If immediate upgrading is not feasible, consider disabling the Quick Edit module as a temporary workaround. Review user permissions to ensure that only authorized personnel have the 'access in-place editing' permission. After upgrading, confirm the fix by attempting to access restricted content with a user account that should not have access.
Update Drupal Core to version 9.3.6 or 9.2.13, or a later version. This will fix the vulnerability in the Quick Edit module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-25270 is a medium severity vulnerability in Drupal Core versions 9.3.5 and earlier, allowing unauthorized viewing of content via the Quick Edit module.
You are affected if you are running Drupal Core 9.3.5 or earlier and have the Quick Edit module enabled within the Standard profile.
Upgrade Drupal Core to version 9.3.6 or later. As a temporary workaround, disable the Quick Edit module.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-25270.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/2022-core-9.3.6.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.