Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
  • Date: Wed, 20 Apr 2022 15:59:01 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2022-008

Project: Drupal core [1]
Date: 2022-April-20
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Improper input validation

Description: 
Drupal core's form API has a vulnerability where certain contributed or
custom modules' forms may be vulnerable to improper input validation. This
could allow an attacker to inject disallowed values or overwrite data.
Affected forms are uncommon, but in certain cases an attacker could alter
critical or sensitive data.

We do not know of affected forms within core itself, but contributed and
custom project forms could be affected. Installing this update will fix those
forms.

This advisory is not covered by Drupal Steward [3].

Solution: 
Install the latest version:

* If you are using Drupal 9.3, update to Drupal 9.3.12 [4].
* If you are using Drupal 9.2, update to Drupal 9.2.18 [5].

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [6].

Drupal 7 is not affected.

Reported By: 
* Dezső BICZÓ [7]

Fixed By: 
* xjm [8] of the Drupal Security Team
* Alex Bronstein [9] of the Drupal Security Team
* Dezső BICZÓ [10]
* Lee Rowlands [11] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.3.12
[5] https://www.drupal.org/project/drupal/releases/9.2.18
[6] https://www.drupal.org/psa-2021-06-29
[7] https://www.drupal.org/user/315522
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/315522
[11] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008, security-news, 20.04.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang