CVE-2022-25270
Description
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal's Quick Edit module fails to check entity access, allowing users with the 'access in-place editing' permission to view unauthorized content.
Vulnerability
The Quick Edit module in Drupal core fails to properly check entity access in certain circumstances [1][2]. This affects sites where the QuickEdit module is installed, which is included in the Standard installation profile. Users with the "access in-place editing" permission can exploit this flaw.
Exploitation
An attacker needs only the "access in-place editing" permission, which is typically granted to certain roles. By using the Quick Edit functionality, the attacker can view content that they are not authorized to access [1][2]. No additional authentication or network position is required beyond having the permission.
Impact
Successful exploitation leads to information disclosure: the attacker can view restricted content [1][2]. The confidentiality of the affected content is compromised, but there is no impact on integrity or availability.
Mitigation
The Drupal security advisory SA-CORE-2022-004 provides details on the fix [2]. Administrators should update Drupal core to the patched version as specified in the advisory. Sites using the contributed Quick Edit module should also apply SA-CONTRIB-2022-025 [2]. If unable to update, consider disabling the Quick Edit module as a workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 9.3.0, < 9.3.6 | 9.3.6 |
drupal/corePackagist | >= 8.0.0, < 9.2.13 | 9.2.13 |
Affected products
3- osv-coords2 versions
>= 9.2.0, < 9.2.13+ 1 more
- (no CPE)range: >= 9.2.0, < 9.2.13
- (no CPE)range: >= 9.3.0, < 9.3.6
- Drupal/Corev5Range: 9.3.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-73q4-j324-2qccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25270ghsaADVISORY
- www.drupal.org/sa-core-2022-004ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.