Platform
drupal
Component
webform
Fixed in
9.2.18
9.3.12
CVE-2022-25273 describes an improper input validation vulnerability within Drupal core's form API. This flaw can allow attackers to inject disallowed values or overwrite data in certain contributed or custom modules' forms, potentially leading to the alteration of critical or sensitive information. This vulnerability affects Drupal Core versions up to and including 9.2.9. The issue is resolved in Drupal version 9.2.18.
CVE-2022-25273 in Drupal Core affects the Form API, allowing attackers to inject disallowed values or overwrite data in forms from contributed or custom modules. While affected forms are uncommon, in certain cases, an attacker could alter critical or sensitive data. The risk stems from insufficient input validation within some forms. This could lead to manipulation of application logic or exposure of confidential information. The CVSS severity score is 7.5, indicating a high risk. Updating to version 9.2.18 is crucial to mitigate this vulnerability. Failure to update could leave websites vulnerable to targeted attacks exploiting this weakness in the Form API. The nature of the Form API means the vulnerability could impact a wide range of website functionalities, depending on how forms are utilized.
An attacker could exploit this vulnerability by injecting malicious data into a vulnerable form via an HTTP request. This malicious data could be used to overwrite existing data, modify application logic, or even execute arbitrary code, depending on the website configuration and user permissions. Successful exploitation of this vulnerability could result in data loss, alteration of website functionality, or even complete server control. The difficulty of exploitation will depend on the complexity of the form and the security measures implemented. It is important to note that Drupal 7 is not affected by this vulnerability.
Exploit Status
EPSS
0.28% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2022-25273 is to update Drupal Core to version 9.2.18 or higher. This update includes the necessary fixes to address the input validation vulnerability in the Form API. Additionally, it is recommended to review contributed and custom modules that utilize the Form API to ensure they implement robust input validation. Regular security audits can help identify and correct potential vulnerabilities in forms. Implementing strict security policies for data management and access control can also reduce the potential impact of a successful attack. Monitoring server logs for suspicious activity related to form manipulation is a recommended practice for detecting and responding to potential attacks.
Actualice el módulo Webform a la versión 9.2.18 o superior, o a la versión 9.3.12 o superior de Drupal Core. Esta actualización corrige una vulnerabilidad de inyección de valores no permitidos debido a una validación de entrada inadecuada en ciertos formularios, lo que podría permitir a un atacante alterar datos críticos.
Vulnerability analysis and critical alerts directly to your inbox.
Drupal's Form API is a system that allows developers to create and manage web forms within a Drupal site.
Version 9.2.18 contains the necessary fixes to mitigate CVE-2022-25273, protecting your website from potential attacks.
If you are using a Drupal version prior to 9.2.18, you are likely vulnerable. Perform a security audit to confirm.
Review the code of your custom modules that use the Form API to ensure they implement proper input validation.
No, Drupal 7 is not affected by this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.