Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Read Time:1 Minute, 3 Second

Project:

Drupal core

Date:

2022-February-16

Security risk:

Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Improper input validation

CVE IDs:

CVE-2022-25271

Description:

Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

This advisory is not covered by Drupal Steward.

Solution:

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.6.
If you are using Drupal 9.2, update to Drupal 9.2.13.
If you are using Drupal 7, update to Drupal 7.88.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By:

Fabian Iwand

Fixed By:

xjm of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Ben Dougherty of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jen Lampton
Nate Lampton
Fabian Franz
Alex Bronstein of the Drupal Security Team

Upcoming Speaking Engagements

LockBit Ransomware Developer Extradited to US

TP-Link Router Botnet

Fraudsters Impersonate Clop Ransomware to Extort Businesses

Cybersecurity Industry Falls Short on Collaboration, Says Former GCHQ Director

Volt Typhoon Accessed US OT Network for Nearly a Year

CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure

RIP Mark Klein

Chromecast chaos – 2nd gen devices go belly-up as Google struggles to fix certificate issue

Drupal core – Moderately critical – Improper input validation – SA-CORE-2022-003

dotnet8.0-8.0.114-1.fc40

dotnet8.0-8.0.114-1.fc41

dotnet8.0-8.0.114-1.fc42

USN-7328-3: Linux kernel vulnerabilities

expat-2.7.0-1.fc40

expat-2.7.0-1.fc41