Drupal Warns of Two Critical Vulnerabilities

Drupal alerted two moderately severe vulnerabilities that allowed attackers to overwrite data or inject prohibited values.

Drupal has announced two vulnerabilities in versions 9.2 and 9.3. These vulnerabilities could permit an attacker to upload malicious files and gain control of a website. These vulnerabilities have been rated Moderately Critical.

The United States Cybersecurity & Infrastructure Security Agency warned that an attacker could take control of a Drupal-based website.

CISA declared:

“Drupal has issued security updates to address vulnerabilities that affect Drupal 9.2 or 9.3.

An killer could use these vulnerabilities to gain control of the affected system.”


Drupal is an open-source content management system that uses a PHP programming language.

Many significant institutions use drupal, like the Smithsonian Institution and Universal Music Group, Pfizer and Johnson & Johnson, Princeton University, and Columbia University.

Form API – Improper Input Validation

Drupal’s form API is the first to be affected. This vulnerability involves an incorrect input validation. It means that uploaded content via the form API cannot be validated to determine whether it is permitted.

It is best to validate what you upload or input into a form. The Allow List approach to validation of inputs is used. This allows the structure to expect specific inputs and reject any that do not match the upload or input.

If a form does not validate input, it opens the website to file uploads that could trigger undesirable behavior in the web app.

Drupal announced the issue in detail:

Drupal core’s form API is vulnerable to incorrect input validation. This could make specific modules, custom or contributed, vulnerable. An attacker could use this over-written to overwrite or inject prohibited values. Although these forms are rare, attackers could modify sensitive or critical data in some cases.

Drupal Core Access Bypass

Access bypass refers to a vulnerability that allows a user to access a site via a path without an access control check. In some cases, this may enable them to gain access to levels they do not have permission to.

Drupal announced the vulnerability in

“Drupal 9.3 introduced a generic entity access API to allow entity revisions. This API was not fully integrated with existing permissions. Users who have access to modifications of content but not individual media content or nodes may be able to bypass this access.

Publishers are encouraged to review Security Advisories and apply Updates

The United States Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage publishers to review security advisories and update the most recent versions.