Multiple security vulnerabilities, including critical ones, detected in the Drupal open source content management system (CMS) have been fixed with updates released by Drupal officials.
The “critical” security vulnerability as tracked CVE-2022-25277 affects Drupal CMS 9.3 and 9.4. The vulnerability found in Drupal Core can cause arbitrary PHP code execution on Apache web servers by loading specially crafted files. However, Drupal officials stated that this vulnerability only affects Apache web servers in specific configurations. Three other security vulnerabilities, considered less critical, allow performed cross-site scripting (XSS) attacks, disclosure of information, or bypassing access restrictions.
These security vulnerabilities were fixed with Drupal CMS versions 9.4.3, 9.3.19, and 7.91. In order not to be the target of attacks using vulnerabilities, Drupal CMS users are advised to consider the recommendations published by CISA and immediately apply the published updates to the vulnerable versions.