The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.
In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
This vulnerability is mitigated by the following:
Install the latest version:
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.
The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.
Solution:Install the latest version:
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
Solution:Install the latest version:
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).
This could be exploited in various ways:
Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability.
Solution:Install the latest version:
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Solution:Install the latest version:
All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.
Reported By: Fixed By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.
A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.
This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes.
In particular, the bulk operations
now require the "Administer content" permission.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).
Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.
This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Team
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this vulnerability.
Solution:Install the latest version:
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.
Reported By: Fixed By:Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.
Reported By: Fixed By:Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.
The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
This advisory is not covered by Drupal Steward.
Reported By: Fixed By:The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Drupal 7 is not affected.
Reported By: Fixed By:In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.
Solution:Install the latest version:
All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
This advisory is covered by Drupal Steward. Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule.
We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.
Drupal 7Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.
Solution:Install the latest version:
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By:Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Solution:Install the latest version:
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By: Fixed By: