Main Vulnerability Database Vulnerabilities #VU65635

#VU65635 Code Injection in Drupal - CVE-2022-25277

Published: July 21, 2022

Vulnerability identifier: #VU65635

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-25277

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Drupal

Software vendor:
Drupal

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper sanitization of certain filenames on uploaded files with an "htaccess" extension. A remote administrator can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://www.drupal.org/sa-core-2022-014

#VU65635 Code Injection in Drupal - CVE-2022-25277

Description

Remediation

External links

Please verify you're human