Drupal Security TeamDRUPAL-SA-CORE-2021-007Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
21.7%
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the “access in-place editing” permission from untrusted users will not fully mitigate the vulnerability. This advisory is not covered by Drupal Steward.
Affected configurations
References
www.drupal.org/node/3227039
www.drupal.org/project/drupal/releases/8.9.19
www.drupal.org/project/drupal/releases/9.1.13
www.drupal.org/project/drupal/releases/9.2.6
www.drupal.org/user/17943
www.drupal.org/user/205645
www.drupal.org/user/255969
www.drupal.org/user/2582268
www.drupal.org/user/36762
www.drupal.org/user/395439
www.drupal.org/user/598310
www.drupal.org/user/65776
www.drupal.org/user/78040
www.drupal.org/user/93488
www.drupal.org/user/99777
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
21.7%