CVE-2022-25274

EPSS 0.17%
Published 26.04.2023 14:15:09
Last modified 03.02.2025 19:15:08
Source mlhess@drupal.org
Teams watchlist Login
Open Login

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 9.3.0 < 9.3.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.39

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.drupal.org/sa-core-2022-009

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-25274

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-25274

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-25274

EUVD