View online: https://www.drupal.org/sa-core-2022-013
Project: Drupal core [1] Date: 2022-July-20 Security risk: *Moderately critical* 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access Bypass
Description: Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
This advisory is not covered by Drupal Steward [3].
Solution: Install the latest version:
* If you are using Drupal 9.4, update to Drupal 9.4.3 [4]. * If you are using Drupal 9.3, update to Drupal 9.3.19 [5].
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [6].
Drupal 7 core is not affected.
Reported By: * Pierre Rudloff [7]
Fixed By: * Pierre Rudloff [8] * Tim Plunkett [9] * Heine [10] of the Drupal Security Team * Alex Bronstein [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team * Lauri Eskola [13], provisional member of the Drupal Security Team * Dave Long [14], provisional member of the Drupal Security Team * Lee Rowlands [15] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.4.3 [5] https://www.drupal.org/project/drupal/releases/9.3.19 [6] https://www.drupal.org/psa-2021-06-29 [7] https://www.drupal.org/user/3611858 [8] https://www.drupal.org/user/3611858 [9] https://www.drupal.org/user/241634 [10] https://www.drupal.org/user/17943 [11] https://www.drupal.org/user/78040 [12] https://www.drupal.org/user/65776 [13] https://www.drupal.org/user/1078742 [14] https://www.drupal.org/user/246492 [15] https://www.drupal.org/user/395439