- 161/2022
- High
Drupal has released multiple security updates to address vulnerabilities affecting versions 9.4, 9.3, and 9.7. The remote attacker could exploit these vulnerabilities to take control and disclose information about the affected system.
The highest severity for the addressed vulnerabilities could allow the remote attacker to execute arbitrary code within the context of the vulnerable application, which could potentially lead to full system compromise.
Sample of the addressed vulnerabilities:
- Drupal Core Arbitrary PHP code execution (CVE-2022-25277)
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
- Remediation Level: Official Fix
- Drupal core information disclosure (CVE-2022-25275)
- CVSS: 5.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
- Remediation Level: Official Fix
Vulnerabilities
- CVE-2022-25276
- CVE-2022-25277
- CVE-2022-25278
- CVE-2022-25275
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.