SB2021091524 - Multiple vulnerabilities in Drupal

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021091524

SB2021091524 - Multiple vulnerabilities in Drupal

Published: September 15, 2021

Security Bulletin ID SB2021091524
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2020-13677)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the JSON:API module. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.


2) Improper access control (CVE-ID: CVE-2020-13676)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions within the QuickEdit module. A remote user can bypass implemented security restrictions and read certain field data.


3) Improper access control (CVE-ID: CVE-2020-13675)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the JSON:API and REST/File modules when validating file uploads. A remote user can bypass the file validation process.


4) Cross-site request forgery (CVE-ID: CVE-2020-13674)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the QuickEdit module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


5) Cross-site request forgery (CVE-ID: CVE-2020-13673)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin within the Drupal core Media module. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


Remediation

Install update from vendor's website.

References