Platform
drupal
Component
drupal
Fixed in
9.3.19
9.4.3
CVE-2022-25278 describes an improper access check vulnerability within the Drupal core form API. This flaw allows users to potentially modify data they should not have permission to access, leading to unauthorized changes and potential data corruption. This affects Drupal Core versions up to and including 9.3.9. The vulnerability is resolved in Drupal version 9.3.19.
CVE-2022-25278 in Drupal Core affects how the form API evaluates access to form elements. Specifically, the system isn't correctly validating permissions required to modify certain fields, potentially allowing a user with insufficient privileges to alter data they shouldn't. This could manifest as modifying site configurations, manipulating sensitive content, or even altering user data. The impact varies depending on site configuration and user permissions, but in the worst case, it could compromise the integrity and security of information stored on the site. The CVSS severity is 6.5, indicating a moderate risk. Updating Drupal to version 9.3.19 or higher is crucial to mitigate this risk.
The vulnerability is exploited through manipulation of data submitted via Drupal forms. An attacker could craft a malicious form or modify existing form data to bypass the necessary permissions to modify certain fields. The success of exploitation depends on the site configuration and user permissions. A technically skilled attacker could leverage this vulnerability to gain unauthorized access to sensitive data or to modify site configuration. The inadequate validation of access to form elements allows a user with insufficient privileges to circumvent security restrictions and perform actions they should not be able to.
Exploit Status
EPSS
0.45% (64% percentile)
CVSS Vector
The primary solution for addressing CVE-2022-25278 is to update Drupal Core to version 9.3.19 or later. This update includes the necessary fixes to correctly validate access to form elements. Additionally, it's recommended to review user permissions and roles on the Drupal site to ensure users only have access to the functionalities and data they need. Regular security audits can help identify and correct potential misconfigurations that could increase the risk of exploitation. If immediate updating isn't possible, consider implementing additional security measures, such as restricting access to certain site areas and monitoring user activity for suspicious behavior.
Actualice el núcleo de Drupal a la versión 9.4.3 o posterior, o a la versión 9.3.19 o posterior para mitigar la vulnerabilidad. Esta actualización corrige un error en la forma en que la API de formulario del núcleo de Drupal evalúa el acceso al elemento del formulario, lo que podría permitir a un usuario modificar datos a los que no debería tener acceso.
Vulnerability analysis and critical alerts directly to your inbox.
Drupal Core versions prior to 9.3.19 are vulnerable to CVE-2022-25278.
You can verify the Drupal version on the site's administration page, in the 'Site information' section.
If you cannot update immediately, consider restricting access to sensitive areas of the site and monitoring user activity.
There are Drupal security scanners that can help you identify this and other vulnerabilities.
You can find more information on the Drupal website and on vulnerability databases like the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.