CVE-2022-25278
MEDIUMDrupal 8.0.0-9.3.18 - Unauthenticated Form Access Control Bypass
Title source: llmDescription
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
References (1)
Core 1
Core References
Vendor Advisory
https://www.drupal.org/sa-core-2022-013
Scores
CVSS v3
6.5
EPSS
0.0050
EPSS Percentile
66.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (2)
drupal/core
8.0.0 - 9.3.19Packagist
drupal/drupal
8.0.0 - 9.3.19
Published
Apr 26, 2023
Tracked Since
Feb 18, 2026