CVE-2022-25273 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <9.2.18 || >=9.3.0 <9.3.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00142 pctl0.35047

Details

Improper input validation in Drupal core Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. Drupal 7 is not affected.

Metadata

Created: 2023-04-26T15:30:21Z
Modified: 2023-05-10T00:38:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-g36h-4jr6-qmm9/GHSA-g36h-4jr6-qmm9.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-g36h-4jr6-qmm9
Finding: F184
Auto approve: 1