Drupal Releases Security Updates

Five security advisories address multiple vulnerabilities affecting the Drupal platform

Threat ID:: CC-4249
Threat Severity:: Information only
Published:: 23 January 2023 3:25 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Five security advisories address multiple vulnerabilities affecting the Drupal platform

Affected platforms

The following platforms are known to be affected:

Drupal

Threat details

Introduction

Drupal has released security updates to address multiple vulnerabilities. The security advisories that affect the Drupal Core, Media Library Form API Element, and Entity Browser describe vulnerabilities that could result in users seeing metadata about media items they are not authorised to access.

These vulnerabilities are partially mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field. There are two other vulnerabilities also affecting Drupal modules.

Remediation advice

Affected organisations are encouraged to review the Drupal security advisories and apply the relevant update.

Remediation steps

Type	Step
Patch	Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 https://www.drupal.org/sa-core-2023-001
Patch	Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004 https://www.drupal.org/sa-contrib-2023-004
Patch	Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003 https://www.drupal.org/sa-contrib-2023-003
Patch	Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002 https://www.drupal.org/sa-contrib-2023-002
Patch	Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 https://www.drupal.org/sa-contrib-2023-001

Definitive source of threat updates

https://www.drupal.org/security

Last edited: 23 January 2023 3:41 pm