Moderately Critical Improper Input Validation in Drupal Core

Staff Reporter

The Drupal security team announced on February 16^th, 2022, the moderately critical improper input validation vulnerability in Drupal Core, SA-CORE-2022-003. The vulnerability is classified moderately critical because of the 14∕25 ratings based on AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon status.

The vulnerability was reported by Fabian Iwand and is in the Drupal core’s form API where certain contributed or custom modules forms have improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are not common but in certain cases, an attacker could alter critical or sensitive data.

This advisory announcement is not covered by Drupal Steward.

Solution

The vulnerability is fixed by Jen Lampton, Nate Lampton, Fabian Franz, and the Drupal security team consisting of xjm, Lee Rowlands, Ben Dougherty, Drew Webber, and Alex Bronstein.

The Solution is to install the latest version, i.e

If you are using Drupal 9.3, update to Drupal 9.3.6.
If you are using Drupal 9.2, update to Drupal 9.2.13.
If you are using Drupal 7, update to Drupal 7.88.

Please note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Also Drupal 8 has reached its end of life.

Source: https://www.drupal.org/sa-core-2022-003

Follow TheDropTimes on LinkedIn for more updatesFOLLOW

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Security Update