Description

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Remediation

References

CVE-2020-13674

Related Vulnerabilities

WordPress Plugin LearnPress-WordPress LMS Cross-Site Request Forgery (3.2.7.2)

Magento Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2019-8154)

WordPress Plugin Insert Html Snippet Cross-Site Request Forgery (1.2)

WordPress Plugin PublishPress:Editorial Calendar, Workflow, Comments, Notifications and Statuses Cross-Site Scripting (3.5.0)

WebLogic CVE-2018-2998 Vulnerability (CVE-2018-2998)

Severity

Medium

Classification

CVE-2020-13674 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities