4 Important vulnerabilities in Drupal. Patch immediately

Drupal team have released updates that patch several vulnerabilities in the open source content management system (CMS). Drupal has released four advisories for four vulnerabilities ( One is critical and others “moderately critical). Below are the details of 4 vulnerabilities.

CVE IDs: CVE-2022-25276


The Media oEmbed iframe route does not properly validate the iframe domain setting, which permits embeds to be displayed in the context of the primary domain. Under certain conditions, this allows cross-site scripting, leaked cookies, or other vulnerabilities.

Vulnerability: Arbitrary PHP code execution

CVE IDs: CVE-2022-25277

Description: This only affects Apache web servers.

Drupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files. But, the fixes for these two vulnerabilities previously did not work correctly together. 

As a result, if the website was configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers. This vulnerability is mitigated by the fact that it requires an administrator to explicitly configure a file field to allow htaccess as an extension or custom code that overrides allowed file uploads.

Vulnerability: Access Bypass

CVE IDs: CVE-2022-25278


Under certain conditions, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through modules or themes may be affected.

Vulnerability:  Information Disclosure

CVE IDs: CVE-2022-25275


In some cases, the Image module does not check access to image files when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the “private” file system. However, some  modules provide additional file systems, which may cause this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config[‘image.settings’][‘allow_insecure_derivatives’] or (Drupal 7) $conf[‘image_allow_insecure_derivatives’] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.


Install the latest version:

  • If you are using Drupal 9.4, update to Drupal 9.4.3.
  • If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Also Drupal 8 has reached its end of life.

Drupal 7 core is not affected. Some websites may need  configuration changes following this security release.