Drupal 9.2.x < 9.2.18 / 9.3.x < 9.3.12 Multiple Vulnerabilities (drupal-2022-04-20)

high Nessus Plugin ID 160024

Synopsis

A PHP application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.18 or 9.3.x prior to 9.3.12. It is, therefore, affected by multiple vulnerabilities.

- Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. This advisory is not covered by Drupal Steward. (SA-CORE-2022-009)

- Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms. This advisory is not covered by Drupal Steward. (SA-CORE-2022-008)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Drupal version 9.2.18 / 9.3.12 or later.

See Also

https://www.drupal.org/sa-core-2022-009

https://www.drupal.org/project/drupal/releases/9.3.12

https://www.drupal.org/steward

https://www.drupal.org/sa-core-2022-008

https://www.drupal.org/project/drupal/releases/9.2.18

https://www.drupal.org/psa-2021-06-29

Plugin Details

Severity: High

ID: 160024

File Name: drupal_9_3_12.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 4/21/2022

Updated: 10/23/2024

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: Settings/ParanoidReport, installed_sw/Drupal

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2022

Vulnerability Publication Date: 4/20/2022