Input validation error in Drupal

#VU60672 Input validation error in Drupal

Published: 2022-02-16 | Updated: 2022-02-17

Vulnerability identifier: #VU60672

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25271

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description

The vulnerability allows a remote attacker to compromise the web application.

The vulnerability exists due to insufficient validation of user-supplied input within the form API. A remote attacker can send specially crafted input to the Drupal core's form API and inject or overwrite data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Drupal: 9.3.0 - 9.3.5, 9.2.0 - 9.2.12, 9.1.0 - 9.1.15, 9.0.0 - 9.0.14, 8.9.0 - 8.9.20, 8.8.0 - 8.8.12, 8.7.0 - 8.7.14, 8.6.0 - 8.6.18, 8.5.0 - 8.5.15, 8.4.0 - 8.4.8, 8.3.0 - 8.3.9, 8.2.0 - 8.2.8, 8.1.0 - 8.1.10, 8.0 - 8.0.6, 7.0 - 7.x-dev

CPE

cpe:2.3:a:drupal:drupal:9.3.5:*:*:*:*:*:*:*

External links
http://www.drupal.org/sa-core-2022-003

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Improper input validation in Backdrop CMS Form API

Multiple vulnerabilities in Drupal