CVE-2020-13674

CVE-2020-13674

Vendor Drupal

Product Core

Weakness CWE-352 · CSRF

Published February 11, 2022

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Key dates

02Disclosure timeline

February 11, 2022 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-13674 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

Identifiers

CVE CVE-2020-13674

CWE CWE-352

Affected versions

Vendor Drupal

Product Core

Affected ≥ 9.2 and < 9.2.6

Vendor Drupal

Product Core

Affected ≥ 9.1 and < 9.1.13

Vendor Drupal

Product Core

Affected ≥ 8.9 and < 8.9.19

01Description

02Disclosure timeline

03References

04Related CVE