Login Sign Up

CVE-2022-25271

7.5 HIGH

📋 TL;DR

This vulnerability in Drupal core's form API allows improper input validation in certain contributed or custom module forms. Attackers could inject disallowed values or overwrite data, potentially altering critical or sensitive information. Drupal sites using affected contributed or custom modules are vulnerable.

💻 Affected Systems

Products:
  • Drupal Core
Versions: Drupal 9.3.x before 9.3.6, Drupal 9.2.x before 9.2.13
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects sites using contributed or custom modules with specific form implementations. Core Drupal forms are not affected.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could overwrite critical data or inject malicious values leading to data corruption, privilege escalation, or unauthorized data modification.

🟠

Likely Case

Limited data manipulation in specific forms, potentially affecting form submissions or stored values in uncommon configurations.

🟢

If Mitigated

With proper input validation and access controls, impact is minimal as this only affects specific contributed/custom module forms.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires knowledge of specific vulnerable forms and typically requires some level of access to submit forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 9.3.6 or 9.2.13

Vendor Advisory: https://www.drupal.org/sa-core-2022-003

Restart Required: No

Instructions:

1. Update Drupal core to version 9.3.6 or 9.2.13. 2. Run database updates if required. 3. Clear all caches.

🔧 Temporary Workarounds

Disable vulnerable modules

all

Identify and disable any contributed or custom modules with vulnerable form implementations

drush pm:uninstall MODULE_NAME

🧯 If You Can't Patch

  • Implement additional input validation in custom/contributed module forms
  • Restrict access to vulnerable forms using Drupal's permission system

🔍 How to Verify

Check if Vulnerable:

Check Drupal version with 'drush status' or via admin/reports/status. If version is 9.3.x < 9.3.6 or 9.2.x < 9.2.13, you are vulnerable.

Check Version:

drush status | grep 'Drupal version'

Verify Fix Applied:

Confirm Drupal version is 9.3.6 or higher, or 9.2.13 or higher. Test vulnerable forms if known.

📡 Detection & Monitoring

Log Indicators:

  • Unusual form submissions with unexpected values
  • Failed validation attempts on specific forms

Network Indicators:

  • POST requests to form endpoints with unexpected parameters

SIEM Query:

web_requests WHERE method='POST' AND (uri CONTAINS '/form/' OR uri CONTAINS '/submit') AND parameters CONTAINS suspicious_values

📊 Metadata

CVE ID: CVE-2022-25271
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-20
Published: February 16, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25271, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)