Drupal Core Access bypass vulnerability - 20230317001¶
Overview¶
Drupal has released a security advisory to address an access bypass vulnerability affecting multiple Drupal versions. An attacker could exploit this vulnerability to take control of an affected system.
What is the vulnerability?¶
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
What is vulnerable?¶
The vulnerability affects the following products:
Affected versions:
- Drupal Core \<7.95 || >=8.0.0 \<9.4.12 || >=9.5.0 \<9.5.5 || >=10.0.0 \<10.0.5
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected products:
Drupal core - Moderately critical - Access bypass https://www.drupal.org/sa-core-2023-004