Drupal has patched two Moderately Critical improper input validation and information disclosure vulnerabilities that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
In the first update SA-CORE-2022-003, Drupal fixed an improper input validation vulnerability CVE-2022-25271.
“Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data,” Drupal noted in the advisory.
The issues are fixed in Drupal 9.3.6 (using Drupal 9.3), Drupal 9.2.13 (using Drupal 9.2), or Drupal 7.88 (using Drupal 7) versions.
In the second update SA-CORE-2022-004, Drupal fixed an Information disclosure vulnerability CVE-2022-25270.
“The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the ‘access in-place editing’ permission viewing some content they are are not authorized to access,” Drupal stated in the advisory.
The issues are fixed in Drupal 9.3.6 (using Drupal 9.3), Drupal 9.2.13 (using Drupal 9.2).