Drupal developers have announced the release of updates that patch several vulnerabilities in the open source content management system (CMS).
Drupal has released four advisories that describe four types of vulnerabilities. One of them has been rated “critical” and the other three “moderately critical.” Drupal uses the NIST Common Misuse Scoring System to rate vulnerabilities — instead of CVSS — with flaws being rated “less critical,” “moderately critical,” “critical” and “highly critical.”
The “critical” vulnerability, tracked as CVE-2022-25277, affects Drupal 9.3 and 9.4. The issue impacts the Drupal core and it can lead to arbitrary PHP code execution on Apache web servers by uploading specially crafted files.
Drupal developers pointed out that only Apache web servers are impacted and only with specific configurations. They have advised website admins to check their server for possible signs of compromise.
The three “moderately critical” security holes also impact the Drupal core. Their exploitation can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass.
Patches for these vulnerabilities are included in Drupal 9.4.3 and 9.3.19. The information disclosure flaw also impacts Drupal 7 and a fix has been included in version 7.91.
The US Cybersecurity and Infrastructure Security Agency (CISA) has advised Drupal users to review the advisories and install the updates.
While Drupal websites are not as targeted as WordPress sites, several of the vulnerabilities found in the CMS in the past years were exploited by malicious actors, including for spam campaigns and to hack websites and deliver malware.
Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal
Related: Drupal Patches ‘High-Risk’ Third-Party Library Flaws
Related: Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
