Improper access control in Drupal - CVE-2020-13667

 

Improper access control in Drupal - CVE-2020-13667

Published: September 17, 2020


Vulnerability identifier: #VU46768
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-13667
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Drupal
Affected software:
Drupal

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the Workspaces module when working with multiple workspaces. A remote attacker can bypass implemented security restrictions and gain unauthorized access to yet not published content.

Successful exploitation of the vulnerability requires that the experimental Workspaces module is installed.


How to mitigate CVE-2020-13667

Install updates from vendor's website.

Sources