Plattform
drupal
Komponente
drupal
Behoben in
9.3.19
9.4.3
CVE-2022-25278 affects Drupal Core, specifically the evaluation of form element access. A flaw in this evaluation can allow a user to alter data they should not have access to. This impacts Drupal Core versions up to 9.3.9 and is resolved in version 9.3.19.
The vulnerability stems from incorrect form element access evaluation within Drupal Core. This allows unauthorized users to modify data they should not be permitted to change. The specific impact depends on the data accessible through the affected forms. A successful attack could lead to unauthorized modifications of user accounts, content, or other critical site data. The potential for data corruption and unauthorized access makes this a significant concern.
CVE-2022-25278 was published on April 24, 2023. The CVSS score is 6.5 (MEDIUM). Public proof-of-concept exploits are not widely available. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation.
Exploit-Status
EPSS
0.45% (64% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade Drupal Core to version 9.3.19 or later. Before upgrading, review all custom modules and forms for potential access control vulnerabilities. Implement strict access control policies and regularly audit user permissions. Consider using a Web Application Firewall (WAF) to detect and block suspicious requests. After the upgrade, confirm access controls are functioning as expected by testing various user roles and permissions.
Actualice el núcleo de Drupal a la versión 9.4.3 o posterior, o a la versión 9.3.19 o posterior para mitigar la vulnerabilidad. Esta actualización corrige un error en la forma en que la API de formulario del núcleo de Drupal evalúa el acceso al elemento del formulario, lo que podría permitir a un usuario modificar datos a los que no debería tener acceso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Drupal Core versions prior to 9.3.19 are vulnerable to CVE-2022-25278.
You can verify the Drupal version on the site's administration page, in the 'Site information' section.
If you cannot update immediately, consider restricting access to sensitive areas of the site and monitoring user activity.
There are Drupal security scanners that can help you identify this and other vulnerabilities.
You can find more information on the Drupal website and on vulnerability databases like the National Vulnerability Database (NVD).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.