Lucene search

GoogleOSV:BIT-DRUPAL-2022-25278

HistoryMar 06, 2024 - 10:52 a.m.

BIT-drupal-2022-25278

2024-03-0610:52:33

Google

osv.dev

drupal

form api

vulnerability

unauthorized access

data alteration

software

contributed modules

custom themes

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.8%

JSON

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

CPENameOperatorVersion
drupallt9.3.19
drupallt9.4.3
drupalge8.0.0
drupalge9.4.0

Name	Operator	Version
drupal	lt	9.3.19
drupal	lt	9.4.3
drupal	ge	8.0.0
drupal	ge	9.4.0

References

www.drupal.org/sa-core-2022-013

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.8%

JSON

Related for OSV:BIT-DRUPAL-2022-25278