Description

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

Remediation

References

CVE-2020-13677

Related Vulnerabilities

WordPress Plugin Form Vibes-Database Manager for Forms SQL Injection (1.4.10)

Undertow Uncontrolled Resource Consumption Vulnerability (CVE-2022-2053)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2007-5899)

MySQL Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2008-4098)

Apache Traffic Server Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-9515)

Severity

High

Classification

CVE-2020-13677 CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities