This is fixed in Drupal 9.3.19 and Drupal 9.4.3. SA-CORE-2022-013 ( CVE-2022-25278) is a moderately critical access bypass vulnerability in the Form API, only present in Drupal 9. Drupal does not provide any user interface to allow insecure derivatives. Private files stored with the private:// URI scheme, which is the default and common setting, are not exposed with this vulnerability, which greatly reduces the attack vectors of this vulnerability.įurther, this vulnerability is mitigated if the Drupal sites have not turned off the default security setting with $conf = true (Drupal 7) or $config = true (Drupal 9). SA-CORE-2022-012 ( CVE-2022-25275) is a moderately critical information disclosure vulnerability fixed in Drupal 7.91, Drupal 9.3.19, and Drupal 9.4.3 that files using URI schemes other than public://, private:// and temporary:// might be revealed if a built-in and default access protection configuration called "insecure derivatives" was enabled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |