Drupal announced two vulnerabilities affecting versions 9.2 and 9.3 that could allow attackers to upload malicious files and take control of sites. The threat level of both vulnerabilities is rated as moderately severe.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that the vulnerabilities could allow attackers to take control of a vulnerable Drupal-based website.
CISA stated:
“Drupal has released a security update to address a vulnerability affecting Drupal 9.2 and 9.3.
An attacker could exploit these vulnerabilities to take control of an affected system. “
drupa
Drupal is a popular open source content management system written in the PHP programming language.
Many major organizations, including the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University, use Drupal on their websites.
Forms API – incorrect input validation
The first vulnerability affects Drupal’s forms API. The vulnerability is incorrect input validation, which means that content uploaded via the Forms API is not validated for permission.
Validating the content of an upload or input form is a common best practice. Typically, input validation is done through an allow list approach, where the form requires a specific input and rejects anything that doesn’t correspond to the expected input or upload.
When the form fails to validate the input, the website opens to upload files that could trigger unwanted behavior in the web application.
Drupal’s announcement explains the specific problem:
“A vulnerability exists in Drupal core’s Forms API where some contributed or custom modules’ forms may be vulnerable to incorrect input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected Forms Uncommon, but in some cases attackers may alter critical or sensitive data.”
Drupal Core – Access Bypass
Access bypass is a form of vulnerability in which there may be a way to access parts of a site through a path that lacks access control checks, resulting in users being able to access levels of permissions they do not have in some cases.
The Drupal advisory describes the vulnerability:
“Drupal 9.3 implements a generic entity access API for entity revisions. However, this API is not fully integrated with existing permissions, resulting in some potential for users who normally have access to content revisions but do not have access to individual items of node and media content access bypass.”
Publishers are encouraged to review security bulletins and apply updates
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage publishers to review security bulletins and update to the latest version.
Citation
Read the official CISA Drupal Vulnerability Bulletin
Drupal releases security update
Read two Drupal security bulletins
Drupal Core – Moderately Critical – Improper Input Validation – SA-CORE-2022-008
Drupal Core – Moderately Critical – Access Bypass – SA-CORE-2022-009
!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');
if( typeof sopp !== "undefined" && sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); }else{ fbq('dataProcessingOptions', []); }
fbq('init', '1321385257908563');
fbq('track', 'PageView');
fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'drupal-warns-of-two-critical-vulnerabilities', content_category: 'drupal news ' });



