Moderately Critical Information Disclosure Vulnerability in Drupal Core
The Drupal security team announced on February 16th, 2022, the moderately critical information disclosure vulnerability in Drupal Core, SA-CORE-2022-004. The vulnerability is classified moderately critical because of the 12∕25 rating based on AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default status.
The vulnerability was reported by Samuel Mortenson. The Quick Edit module does not properly check the entity access in some cases. This could cause some users with the “access -in-place editing” permission to view some content they are not authorized to access.
Sites are only affected if the QuickEdit module( which comes with the Standard profile) is installed. The same vulnerability in the contributed modules IS addressed in the SA-CONTRIB-2022-025 issue
This advisory announcement is not covered by Drupal Steward.
Solution
This vulnerability is fixed by Théodore Biadala, Adam G-H, Wim Leers, Ted Bowman, Dave Long, Derek Wright, Samuel Mortenson, Joseph Zhao and the Drupal security team consisting of xjm, Lee Rowlands, Drew Webber, and Alex Bronstein.
The Solution is to install the latest version, i.e
- If you are using Drupal 9.3, update to Drupal 9.3.6.
- If you are using Drupal 9.2, update to Drupal 9.2.13.
Please note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Also Drupal 8 has reached its end of life.
Drupal 7 core does not have the QuickEdit module and therefore remains affected.
Uninstalling the QuickEdit module will also mitigate the vulnerability. As per the Drupal team, site owners may want to consider this option as there are plans to remove QuickEdit module from Drupal 10 Core.
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.