View online: https://www.drupal.org/sa-contrib-2022-025
Project: Quick Edit [1] Date: 2022-February-16 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 [3].
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
Solution: Install the latest version:
* If you use the Quick Edit module for Drupal 9.x, upgrade to Quick Edit 1.0.1 [4]
Reported By: * Samuel Mortenson [5]
Fixed By: * Théodore Biadala [6] * xjm [7] of the Drupal Security Team * Alex Bronstein [8] of the Drupal Security Team * Adam G-H [9] * Drew Webber [10] of the Drupal Security Team * Wim Leers [11] * Ted Bowman [12] * Dave Long [13] * Derek Wright [14] * Lee Rowlands [15] of the Drupal Security Team * Samuel Mortenson [16] * Joseph Zhao [17]
[1] https://www.drupal.org/project/quickedit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2022-004 [4] https://www.drupal.org/project/quickedit/releases/1.0.1 [5] https://www.drupal.org/user/2582268 [6] https://www.drupal.org/user/598310 [7] https://www.drupal.org/user/65776 [8] https://www.drupal.org/user/78040 [9] https://www.drupal.org/user/205645 [10] https://www.drupal.org/user/255969 [11] https://www.drupal.org/user/99777 [12] https://www.drupal.org/user/240860 [13] https://www.drupal.org/user/246492 [14] https://www.drupal.org/user/46549 [15] https://www.drupal.org/user/395439 [16] https://www.drupal.org/user/2582268 [17] https://www.drupal.org/user/1987218