Two serious vulnerabilities in Drupal would allow hackers to take full control of affected websites

This week, Drupal administrators announced the release of security updates in order to address some security flaws that could lead to access bypass and data overwriting attacks.

In its report, the open-source content management system (CMS) notes that the first of these flaws is described as an access evasion error that exists due to a generic entity access API incorrectly implemented for entity reviews.

Apparently, this API was not fully integrated with existing permissions, resulting in possible access evasion for users who have access to use content revisions in general, but who do not have access to individual node elements and multimedia content.

The flaw only resides in Drupal version 9.3 and affects only websites where the Drupal patch system is actively used.

On the other hand, the second flaw resides in the Drupal core forms API and is described as incorrect input validation on certain custom or contributed module forms. Because of this error, threat actors could inject disallowed values or arbitrarily overwrite data.

Affected forms are rare, but Drupal notes that in specific cases flaws would allow threat actors to modify critical or sensitive data. While Drupal says it doesn’t know which forms have been affected within the core itself, custom and contributed project forms could be compromised.

Both flaws received high severity scores, so users of this CMS are advised to apply the available patches as soon as possible. The issues were addressed with the release of Drupal 9.3.12 and Drupal 9.2.18. Versions of Drupal 9 earlier than 9.2.x and Drupal 8 have already reached the end of their life cycle, so they will not receive updates. Drupal 7 is not affected by these flaws.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.