Miggo Logo

CVE-2022-25270: Incorrect authorization in Drupal core

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.55462%
Published
2/18/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 9.3.0, < 9.3.69.3.6
drupal/corecomposer>= 8.0.0, < 9.2.139.2.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing entity access checks in the Quick Edit module. While no explicit code is shown, Drupal's architecture requires entity access validation in controller methods handling editing operations. The QuickEditController::entityAccess method is a logical candidate as it would be responsible for authorization decisions. The medium confidence reflects the lack of direct code/patch evidence, but aligns with the described vulnerability pattern and Drupal's security practices.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Qui*k **it mo*ul* *o*s not prop*rly ****k *ntity ****ss in som* *ir*umst*n**s. T*is *oul* r*sult in us*rs wit* t** "****ss in-pl*** **itin*" p*rmission vi*win* som* *ont*nt t**y *r* *r* not *ut*oriz** to ****ss. Sit*s *r* only *****t** i* t** Qui

Reasoning

T** vuln*r**ility st*ms *rom missin* *ntity ****ss ****ks in t** Qui*k **it mo*ul*. W*il* no *xpli*it *o** is s*own, *rup*l's *r**it**tur* r*quir*s *ntity ****ss `v*li**tion` in *ontroll*r m*t*o*s **n*lin* **itin* op*r*tions. T** `Qui*k**it*ontroll*r