← Back

CVE-2022-25274

nvd nist
Published: Apr 26, 2023Modified: Feb 3, 2025

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.5
Source: NVD

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

Affected (1)

Products: Drupal: Drupal
Drupal
1 product
Drupal
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Drupal
From 9.3.0 to 9.3.12

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

Source: mlhess@drupal.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.