CVE-2020-13676

MEDIUM6.5EPSS 0.29%

Incorrect Authorization in Drupal core

Published: 9/15/2021Modified: 12/10/2025

Description

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Affected packages (3)

Bitnami/drupal>= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
Packagist/drupal/core>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
Packagist/drupal/core>= 8.0.0, < 8.9.19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13676
PATCHhttps://github.com/drupal/core
WEBhttps://github.com/drupal/core/commit/8e8e3d2ddd72471ba886346ecabfb5d98fd27d9b
WEBhttps://www.drupal.org/sa-core-2021-009