"Code Execution and Other Vulnerabilities Patched in Drupal"

Drupal developers have released updates that patch several vulnerabilities in the open source content management system (CMS). One of the vulnerabilities patched has been rated “critical” and the other three “moderately critical.” Drupal uses the NIST Common Misuse Scoring System to rate vulnerabilities instead of CVSS, with flaws being rated “less critical,” “moderately critical,” “critical,” and “highly critical.” The “critical” vulnerability is tracked as  CVE-2022-25277 and affects Drupal 9.3 and 9.4. The issue impacts the Drupal core, and it can lead to arbitrary PHP code execution on Apache web servers by uploading specially crafted files. Drupal noted that only Apache web servers are impacted and only with specific configurations. Drupal has advised website admins to check their servers for possible signs of compromise. The three “moderately critical” security holes also impact the Drupal core. Drupal noted that their exploitation can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass. Patches for these vulnerabilities are included in Drupal 9.4.3 and 9.3.19. The information disclosure flaw also impacts Drupal 7, and a fix has been included in version 7.91.

SecurityWeek reports: "Code Execution and Other Vulnerabilities Patched in Drupal"