Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Drupal Releases Security Updates

Five security advisories address multiple vulnerabilities affecting the Drupal platform

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Five security advisories address multiple vulnerabilities affecting the Drupal platform


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Drupal has released security updates to address multiple vulnerabilities. The security advisories that affect the Drupal Core, Media Library Form API Element, and Entity Browser describe vulnerabilities that could result in users seeing metadata about media items they are not authorised to access. 

These vulnerabilities are partially mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field. There are two other vulnerabilities also affecting Drupal modules.


Remediation advice

Affected organisations are encouraged to review the Drupal security advisories and apply the relevant update.


Remediation steps

Type Step
Patch

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001


https://www.drupal.org/sa-core-2023-001
Patch

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004


https://www.drupal.org/sa-contrib-2023-004
Patch

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003


https://www.drupal.org/sa-contrib-2023-003
Patch

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002


https://www.drupal.org/sa-contrib-2023-002
Patch

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001


https://www.drupal.org/sa-contrib-2023-001

Definitive source of threat updates

Last edited: 23 January 2023 3:41 pm