CERT-In Vulnerability Note Reports Multiple Vulnerabilities in Drupal Core

CERT-In is the Indian Computer Emergency Response Team
A laptop keyboard illuminated in blue light
Unsplash

A vulnerability note issued by Indian Computer Emergency Response Team (CERT-In) on July 25, 2022, reports multiple vulnerabilities in Drupal Core. These vulnerabilities could allow a remote attacker to execute arbitrary code, access sensitive information, bypass security restriction, and cause cross-site scripting attacks on the targeted system.

CERT-In has put the severity rating for the vulnerabilities high. Software affected are listed as Drupal versions 9.4.0 to 9.4.2, 9.3.0 to 9.3.18, and 7.0 to 7.90. 

Drupal developers had previously identified these vulnerabilities, and security advisories were issued beforehand. Web admins should apply the patches provided in Drupal.org. 

CERT-In regularly issues such notes so that the admins of the government-run public-facing websites can be informed and urged to apply patches. According to their website, these are the records on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

The vulnerabilities in the note are as follows:

1. Information disclosure Vulnerability (CVE-2022-25275 )

This vulnerability exists because the Image module does not properly verify access to image files not stored in the standard public files directory. Successful exploitation of this vulnerability could allow an attacker to access sensitive information on the targeted system.

2. Cross-site scripting Vulnerability (CVE-2022-25276 )

This vulnerability exists due to the Media oEmbed iframe route does not properly validate the iframe domain parameter. A remote attacker could exploit this vulnerability by sending a specially crafted request. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary HTML and script code in the users' browser in the context of a vulnerable website.

3. Arbitrary Code Execution Vulnerability (CVE-2022-25277 )

This vulnerability exists due to improper sanitization of certain filenames on uploaded files with an "htaccess" extension. A remote attacker could exploit this vulnerability by sending a specially crafted request. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system.

4. Access Bypass Vulnerability (CVE-2022-25278 )

This vulnerability exists due to improper access restrictions. A remote attacker could exploit this vulnerability by sending a specially crafted request. Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions on the targeted system.

Solution

Apply appropriate updates as mentioned in Drupal Security Advisory