SB2022042015 - Multiple vulnerabilities in Drupal

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Drupal core API. A remote user with access to revisions can bypass implemented security restrictions and gain unauthorized access to the application.

2) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to alter critical or sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input within the Drupal core's form API. A remote attacker can pass specially crafted input to the application and inject disallowed values or overwrite data, in certain cases an attacker can alter critical or sensitive data.

Remediation

Install update from vendor's website.

References

• https://www.drupal.org/sa-core-2022-009
• https://www.drupal.org/sa-core-2022-008