Drupal has patched a Critical vulnerability that affect multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal vulnerability (CVE-2022-39261) in the Twig third-party library used for content templating and sanitization.
“Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials,” Drupal noted in the advisory.
The vulnerability is fixed in Drupal 9.4.7 (if using 9.4) and Drupal 9.3.22 (if using 9.3).
All versions of Drupal 9 prior to 9.3.x are end-of-life.
Related Articles
- Drupal patches Moderately Critical vulnerability (CVE-2022-25276)
- Drupal patches Moderately Critical Guzzle third-party library vulnerabilities (CVE-2022-31042 and CVE-2022-31043)
- Drupal patches High risk Guzzle third-party library vulnerability (CVE-2022-29248)
- Drupal patches Guzzle third-party library vulnerability (CVE-2022-24775)