CVE-2020-13674
MEDIUMDrupal 8.9.0-8.9.18 - Cross-Site Request Forgery in QuickEdit Module
Title source: llmDescription
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2021-007
Scores
CVSS v3
6.5
EPSS
0.0014
EPSS Percentile
33.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
Status
published
Products (2)
drupal/core
8.0.0 - 8.9.19Packagist
drupal/drupal
8.9.0 - 8.9.19
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026