CVE-2022-25271

NameCVE-2022-25271
DescriptionDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2925-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie, jessie (lts)7.32-1+deb8u19vulnerable
stretch (security), stretch (lts), stretch7.52-2+deb9u18fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcejessie(unfixed)end-of-life
drupal7sourcestretch7.52-2+deb9u18DLA-2925-1
drupal7source(unstable)(unfixed)

Notes

https://www.drupal.org/sa-core-2022-003
https://git.drupalcode.org/project/drupal/-/commit/43c757167380643b5f73287a63a8739731a5b712

Search for package or bug name: Reporting problems