The Drupal security team announced on February 16^th, 2022, the moderately critical information disclosure vulnerability in Drupal Core, SA-CORE-2022-004. The vulnerability is classified moderately critical because of  the 12∕25 rating based on AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default status.

The vulnerability was reported by Samuel Mortenson. The Quick Edit module does not properly check the entity access in some cases. This could cause some users with the “access -in-place editing” permission to view some content they are not authorized to access.

You May Like

Blog

Growing Together in the Drupal Land: The 'Learn Drupal' Initiative

Blog

Growing Together in the Drupal Land: The 'Learn Drupal' Initiative

Sites are only affected if the QuickEdit  module( which comes with the Standard profile) is installed. The same vulnerability in the contributed modules IS addressed in the SA-CONTRIB-2022-025 issue

This advisory announcement  is not covered by Drupal Steward.

Solution

This vulnerability is fixed by Théodore Biadala, Adam G-H, Wim Leers, Ted Bowman, Dave Long, Derek Wright, Samuel Mortenson, Joseph Zhao and the Drupal security team consisting of  xjm, Lee Rowlands, Drew Webber, and Alex Bronstein.

The Solution is to install the latest version, i.e

• If you are using Drupal 9.3, update to Drupal 9.3.6.
• If you are using Drupal 9.2, update to Drupal 9.2.13.

Please note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Also Drupal 8 has reached its end of life.

Drupal 7 core does not have the QuickEdit module and therefore remains affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. As per the Drupal team, site owners may want to consider this option as there are plans to remove QuickEdit module from Drupal 10 Core.

Source: https://www.drupal.org/sa-core-2022-004