Home > Vulnerability Database > WS-2022-0118

Mend.io Vulnerability Database

WS-2022-0118

Good to know:

Date: April 20, 2022

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. Fixed in 9.3.12. This vulnerability only affects sites using Drupal's revision system

Language: PHP

Severity Score

6.8

Related Resources (2)

Url: https://github.com/drupal/drupal/commit/ed4b437ad902e05a63704ae1b76297a76c776224

Url: https://www.mend.io/vulnerability-database/WS-2022-0118

Severity Score

6.8

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version 9.3.12

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0118

Good to know:

Date: April 20, 2022

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?