vulnerability

Drupal: CVE-2020-13674: Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Feb 11, 2022

Added

Mar 23, 2022

Modified

Aug 11, 2025

Description

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Solutions

drupal-upgrade-8_9_1drupal-upgrade-9_1_1drupal-upgrade-9_2_6

References

CVE-2020-13674
https://attackerkb.com/topics/CVE-2020-13674
CWE-352
https://www.drupal.org/sa-core-2021-007

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report