{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-25271", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "dateUpdated": "2022-11-03T00:00:00", "dateReserved": "2022-02-16T00:00:00", "datePublished": "2022-02-16T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2022-11-03T00:00:00"}, "descriptions": [{"lang": "en", "value": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data."}], "affected": [{"vendor": "Drupal", "product": "Core", "versions": [{"version": "9.3.x", "status": "affected", "lessThan": "9.3.6", "versionType": "custom"}, {"version": "9.2.x", "status": "affected", "lessThan": "9.2.13", "versionType": "custom"}, {"version": "7.x", "status": "affected", "lessThan": "7.88", "versionType": "custom"}]}], "references": [{"url": "https://www.drupal.org/sa-core-2022-003"}, {"name": "FEDORA-2022-9d655503ea", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"}, {"name": "FEDORA-2022-bf18450366", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "5307A395-1358-4CB3-8B3F-54C95A442693", "versionEndExcluding": "7.88", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "09CF71F1-F74A-4B1F-AD6D-B21B8A4B376A", "versionEndExcluding": "9.2.13", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E73DD49-5B53-4196-9F8F-CB530E532C71", "versionEndExcluding": "9.3.6", "versionStartIncluding": "9.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data."}, {"lang": "es", "value": "La API de formularios del n\u00facleo de Drupal presenta una vulnerabilidad en la que determinados formularios de m\u00f3dulos contribuidos o personalizados pueden ser vulnerables a una comprobaci\u00f3n inapropiada de entradas. Esto podr\u00eda permitir a un atacante inyectar valores no permitidos o sobrescribir datos. Los formularios afectados son poco comunes, pero en determinados casos un atacante podr\u00eda alterar datos cr\u00edticos o confidenciales"}], "id": "CVE-2022-25271", "lastModified": "2022-11-07T14:51:06.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-16T23:15:11.253", "references": [{"source": "mlhess@drupal.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"}, {"source": "mlhess@drupal.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"}, {"source": "mlhess@drupal.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2022-003"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}