CVE-2022-25271
published 2022-02-16CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.25%
65.6th percentile
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 7.0.0 < 7.88 | 7.88 |
| drupal | core | >= 7.x < 7.88 | 7.88 |
| drupal | core | >= 8.0.0 < 9.2.13 | 9.2.13 |
| drupal | core | >= 9.2.x < 9.2.13 | 9.2.13 |
| drupal | core | >= 9.3.0 < 9.3.6 | 9.3.6 |
| drupal | core | >= 9.3.x < 9.3.6 | 9.3.6 |
| drupal | drupal | >= 7.0.0 < 7.88 | 7.88 |
| drupal | drupal | >= 9.2.0 < 9.2.13 | 9.2.13 |
| drupal | drupal | >= 9.3.0 < 9.3.6 | 9.3.6 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper input validation in Drupal core
osv·2022-02-18
CVE-2022-25271 [HIGH] Improper input validation in Drupal core
Improper input validation in Drupal core
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
GHSA
Improper input validation in Drupal core
ghsa·2022-02-18
CVE-2022-25271 [HIGH] CWE-20 Improper input validation in Drupal core
Improper input validation in Drupal core
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
OSV
CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
osv·2022-02-16
CVE-2022-25271 CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
This advisory is not covered by [Drupal Steward](/steward).
OSV
CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
osv·2022-02-16·CVSS 7.5
CVE-2022-25271 [HIGH] CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Drupal
Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
vendor_drupal·2022-02-16
CVE-2022-25271 [MEDIUM] Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
Title: Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
Vulnerability Type: Improper input validation
Description: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. This advisory is not covered by Drupal Steward .
Solution: Install the latest version: If you are using Drupal 9.3, update to Drupal 9.3.6 . If you are using Drupal 9.2, update to Drupal 9.2.13 . If you are using Drupal 7, update to Drupal 7.88 . All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/https://www.drupal.org/sa-core-2022-003https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/https://www.drupal.org/sa-core-2022-003
2022-02-16
Published