6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25270

GHSA ID

GHSA-73q4-j324-2qcc

EPSS Score

0.55462%

CWE

CWE-863

Published

2/18/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25270

CVE-2022-25270: Incorrect authorization in Drupal core

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25270

GHSA ID

GHSA-73q4-j324-2qcc

EPSS Score

0.55462%

CWE

CWE-863

Published

2/18/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 9.3.0, < 9.3.6	9.3.6
drupal/core	composer	>= 8.0.0, < 9.2.13	9.2.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing entity access checks in the Quick Edit module. While no explicit code is shown, Drupal's architecture requires entity access validation in controller methods handling editing operations. The QuickEditController::entityAccess method is a logical candidate as it would be responsible for authorization decisions. The medium confidence reflects the lack of direct code/patch evidence, but aligns with the described vulnerability pattern and Drupal's security practices.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Qui*k **it mo*ul* *o*s not prop*rly ****k *ntity ****ss in som* *ir*umst*n**s. T*is *oul* r*sult in us*rs wit* t** "****ss in-pl*** **itin*" p*rmission vi*win* som* *ont*nt t**y *r* *r* not *ut*oriz** to ****ss. Sit*s *r* only *****t** i* t** Qui

Reasoning

T** vuln*r**ility st*ms *rom missin* *ntity ****ss ****ks in t** Qui*k **it mo*ul*. W*il* no *xpli*it *o** is s*own, *rup*l's *r**it**tur* r*quir*s *ntity ****ss `v*li**tion` in *ontroll*r m*t*o*s **n*lin* **itin* op*r*tions. T** `Qui*k**it*ontroll*r

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-25270: Incorrect authorization in Drupal core

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI