Saturday, July 11, 2026

Drupal warns of two critical vulnerabilities


Drupal announced two vulnerabilities affecting versions 9.2 and 9.3 that could allow attackers to upload malicious files and take control of sites. The threat level of both vulnerabilities is rated as moderately severe.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that the vulnerabilities could allow attackers to take control of a vulnerable Drupal-based website.

CISA stated:

“Drupal has released a security update to address a vulnerability affecting Drupal 9.2 and 9.3.

An attacker could exploit these vulnerabilities to take control of an affected system. “

drupa

Drupal is a popular open source content management system written in the PHP programming language.

Many major organizations, including the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University, use Drupal on their websites.

Forms API – incorrect input validation

The first vulnerability affects Drupal’s forms API. The vulnerability is incorrect input validation, which means that content uploaded via the Forms API is not validated for permission.

Validating the content of an upload or input form is a common best practice. Typically, input validation is done through an allow list approach, where the form requires a specific input and rejects anything that doesn’t correspond to the expected input or upload.

When the form fails to validate the input, the website opens to upload files that could trigger unwanted behavior in the web application.

Drupal’s announcement explains the specific problem:

“A vulnerability exists in Drupal core’s Forms API where some contributed or custom modules’ forms may be vulnerable to incorrect input validation. This could allow an attacker to inject disallowed values ​​or overwrite data. Affected Forms Uncommon, but in some cases attackers may alter critical or sensitive data.”

Drupal Core – Access Bypass

Access bypass is a form of vulnerability in which there may be a way to access parts of a site through a path that lacks access control checks, resulting in users being able to access levels of permissions they do not have in some cases.

The Drupal advisory describes the vulnerability:

“Drupal 9.3 implements a generic entity access API for entity revisions. However, this API is not fully integrated with existing permissions, resulting in some potential for users who normally have access to content revisions but do not have access to individual items of node and media content access bypass.”

Publishers are encouraged to review security bulletins and apply updates

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage publishers to review security bulletins and update to the latest version.

Citation

Read the official CISA Drupal Vulnerability Bulletin

Drupal releases security update

Read two Drupal security bulletins

Drupal Core – Moderately Critical – Improper Input Validation – SA-CORE-2022-008

Drupal Core – Moderately Critical – Access Bypass – SA-CORE-2022-009





Source link

Related articles

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

How to Settle a Colic Baby: Proven Tips

Eager to discover effective ways to calm your colicky baby? From soothing techniques to critical consultation cues, let's explore what...

What Is Colic in Babies: Key Facts Revealed

Understanding what colic in babies truly entails can be a challenge for many parents. As the evening wears on, and the baby's cries reach a crescendo, an urgent question looms in the air: what now?

The 7 Best Ways to Gain Popularity

Online searches are often not the starting point...
spot_imgspot_img