Plattform
drupal
Komponente
webform
Behoben in
9.2.18
9.3.12
CVE-2022-25273 affects Drupal Core's form API, where improper input validation within contributed or custom modules can lead to vulnerabilities. An attacker could inject disallowed values or overwrite data, potentially compromising sensitive information. This issue impacts Drupal Core versions up to 9.2.9, but is resolved in version 9.2.18.
The vulnerability lies in the form API's handling of input validation. While affected forms are not widespread, successful exploitation could allow an attacker to modify critical or sensitive data within the Drupal site. This could involve altering user roles, permissions, or other configuration settings. The potential impact depends heavily on the specific modules and forms involved, but the ability to manipulate data directly poses a significant risk. A successful attack could lead to unauthorized access, data breaches, or even complete site compromise.
CVE-2022-25273 was published on April 26, 2023. Severity is assessed as High (CVSS 7.5). Public proof-of-concept exploits are not widely available, but the potential for data manipulation warrants attention. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation.
Exploit-Status
EPSS
0.28% (52% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade Drupal Core to version 9.2.18 or later. Before upgrading, it's crucial to review all contributed and custom modules for potential vulnerabilities and ensure compatibility with the new Drupal Core version. Consider creating a backup of the site before initiating the upgrade process. If an immediate upgrade is not possible, implement strict input validation on all custom forms and review contributed modules for known vulnerabilities. WAF rules can be configured to filter suspicious input patterns, but this is not a substitute for patching.
Actualice el módulo Webform a la versión 9.2.18 o superior, o a la versión 9.3.12 o superior de Drupal Core. Esta actualización corrige una vulnerabilidad de inyección de valores no permitidos debido a una validación de entrada inadecuada en ciertos formularios, lo que podría permitir a un atacante alterar datos críticos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Drupal's Form API is a system that allows developers to create and manage web forms within a Drupal site.
Version 9.2.18 contains the necessary fixes to mitigate CVE-2022-25273, protecting your website from potential attacks.
If you are using a Drupal version prior to 9.2.18, you are likely vulnerable. Perform a security audit to confirm.
Review the code of your custom modules that use the Form API to ensure they implement proper input validation.
No, Drupal 7 is not affected by this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.