[Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

security-news at drupal.org security-news at drupal.org
Wed Apr 20 15:59:01 UTC 2022


View online: https://www.drupal.org/sa-core-2022-008

Project: Drupal core [1]
Date: 2022-April-20
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Improper input validation

Description: 
Drupal core's form API has a vulnerability where certain contributed or
custom modules' forms may be vulnerable to improper input validation. This
could allow an attacker to inject disallowed values or overwrite data.
Affected forms are uncommon, but in certain cases an attacker could alter
critical or sensitive data.

We do not know of affected forms within core itself, but contributed and
custom project forms could be affected. Installing this update will fix those
forms.

This advisory is not covered by Drupal Steward [3].

Solution: 
Install the latest version:

   * If you are using Drupal 9.3, update to Drupal 9.3.12 [4].
   * If you are using Drupal 9.2, update to Drupal 9.2.18 [5].

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [6].

Drupal 7 is not affected.

Reported By: 
   * Dezső BICZÓ [7]

Fixed By: 
   * xjm [8] of the Drupal Security Team
   * Alex Bronstein [9] of the Drupal Security Team
   * Dezső BICZÓ [10]
   * Lee Rowlands [11] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.3.12
[5] https://www.drupal.org/project/drupal/releases/9.2.18
[6] https://www.drupal.org/psa-2021-06-29
[7] https://www.drupal.org/user/315522
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/315522
[11] https://www.drupal.org/user/395439



More information about the Security-news mailing list