CVE-2022-25274

Published: Apr 26, 2023

Modified: Feb 3, 2025

PUBLISHED

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

Vendor	Product	Versions
Drupal	Core	affected `9.3 - < 9.3.12`

References

https://www.drupal.org/sa-core-2022-009

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-25274

Description

Affected Products

References