Description

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

Remediation

References

CVE-2020-13677

Related Vulnerabilities

WordPress Plugin WordPress Comments Import & Export CSV Injection (2.0.4)

Claroline Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3716)

WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors Cross-Site Scripting (2.3.0)

WordPress Plugin Vuukle Comments, Reactions, Share Bar, Revenue Unspecified Vulnerability (4.0.2)

WordPress 3.8.x Cross-Site Request Forgery (3.8 - 3.8.28)

Severity

High

Classification

CVE-2020-13677 CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities