Headline
CVE-2022-25278: Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
Affected versions:
>= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3
Description:
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Fixed By:
- Pierre Rudloff
- Tim Plunkett
- Heine of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- xjm of the Drupal Security Team
- Lauri Eskola, provisional member of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
Related news
Drupal core form API evaluates form element access incorrectly. This can lead to a user being able to alter data they should not have access to.