Synopsis
A PHP application running on the remote web server is affected by multiple vulnerabilities.
Description
According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.18 or 9.3.x prior to 9.3.12. It is, therefore, affected by multiple vulnerabilities.
- Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. This advisory is not covered by Drupal Steward. (SA-CORE-2022-009)
- Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms. This advisory is not covered by Drupal Steward. (SA-CORE-2022-008)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 9.2.18 / 9.3.12 or later.
Plugin Details
File Name: drupal_9_3_12.nasl
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: Settings/ParanoidReport, installed_sw/Drupal
Exploit Ease: No known exploits are available
Patch Publication Date: 4/20/2022
Vulnerability Publication Date: 4/20/2022