it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
- Date: Wed, 20 Apr 2022 15:59:01 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2022-008
Project: Drupal core [1]
Date: 2022-April-20
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Improper input validation
Description:
Drupal core's form API has a vulnerability where certain contributed or
custom modules' forms may be vulnerable to improper input validation. This
could allow an attacker to inject disallowed values or overwrite data.
Affected forms are uncommon, but in certain cases an attacker could alter
critical or sensitive data.
We do not know of affected forms within core itself, but contributed and
custom project forms could be affected. Installing this update will fix those
forms.
This advisory is not covered by Drupal Steward [3].
Solution:
Install the latest version:
* If you are using Drupal 9.3, update to Drupal 9.3.12 [4].
* If you are using Drupal 9.2, update to Drupal 9.2.18 [5].
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [6].
Drupal 7 is not affected.
Reported By:
* Dezső BICZÓ [7]
Fixed By:
* xjm [8] of the Drupal Security Team
* Alex Bronstein [9] of the Drupal Security Team
* Dezső BICZÓ [10]
* Lee Rowlands [11] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.3.12
[5] https://www.drupal.org/project/drupal/releases/9.2.18
[6] https://www.drupal.org/psa-2021-06-29
[7] https://www.drupal.org/user/315522
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/315522
[11] https://www.drupal.org/user/395439
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008, security-news, 20.04.2022
Archiv bereitgestellt durch MHonArc 2.6.24.