CVE-2022-25274

Name of the Vulnerable Software and Affected Versions Drupal version 9.3

Description The issue arises from the incomplete integration of the generic entity access API for entity revisions with existing permissions in Drupal 9.3. This results in possible access bypass for users who have access to use revisions of content generally but do not have access to individual items of node and media content. The vulnerability only affects sites using Drupal's revision system.

Recommendations For Drupal version 9.3, update to a version that fully integrates the entity access API with existing permissions to prevent access bypass. At the moment, there is no information about a newer version that contains a fix for this vulnerability.