Lucene search

GitHub Advisory DatabaseGHSA-G36H-4JR6-QMM9

HistoryApr 26, 2023 - 3:30 p.m.

Improper input validation in Drupal core

2023-04-2615:30:21

CWE-20

GitHub Advisory Database

github.com

drupal core

form api

input validation

vulnerability

contributed modules

custom modules

sensitive data

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

19.4%

JSON

Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Drupal 7 is not affected.

Affected configurations

Vulners

Node

drupal_coredrupal_coreRange<9.3.12

drupal_coredrupal_coreRange8.0.0≥

drupal_coredrupal_coreRange<9.2.18

CPENameOperatorVersion
drupal/corelt9.3.12
drupal/corege8.0.0
drupal/corelt9.2.18

Name	Operator	Version
drupal/core	lt	9.3.12
drupal/core	ge	8.0.0
drupal/core	lt	9.2.18

References

github.com/advisories/GHSA-g36h-4jr6-qmm9

nvd.nist.gov/vuln/detail/CVE-2022-25273

www.drupal.org/sa-core-2022-008

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

19.4%

JSON

Related for GHSA-G36H-4JR6-QMM9