{"api_version":"1","generated_at":"2026-04-23T00:42:10+00:00","cve":"CVE-2022-25271","urls":{"html":"https://cve.report/CVE-2022-25271","api":"https://cve.report/api/cve/CVE-2022-25271.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-25271","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271"},"summary":{"title":"CVE-2022-25271","description":"Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.","state":"PUBLIC","assigner":"security@drupal.org","published_at":"2022-02-16 23:15:00","updated_at":"2022-11-07 14:51:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","name":"FEDORA-2022-9d655503ea","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.drupal.org/sa-core-2022-003","name":"https://www.drupal.org/sa-core-2022-003","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 | Drupal.org","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","name":"FEDORA-2022-bf18450366","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-25271","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"25271","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"drupal","cpe5":"drupal","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"25271","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"25271","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-25271","qid":"154105","title":"Drupal Core Improper Input Validation Vulnerability (SA-CORE-2022-003)"},{"cve":"CVE-2022-25271","qid":"283227","title":"Fedora Security Update for drupal7 (FEDORA-2022-9d655503ea)"},{"cve":"CVE-2022-25271","qid":"283277","title":"Fedora Security Update for drupal7 (FEDORA-2022-bf18450366)"},{"cve":"CVE-2022-25271","qid":"283473","title":"Fedora Security Update for drupal7 (FEDORA-2022-c4334d5277)"},{"cve":"CVE-2022-25271","qid":"502055","title":"Alpine Linux Security Update for drupal7"},{"cve":"CVE-2022-25271","qid":"504708","title":"Alpine Linux Security Update for drupal7"},{"cve":"CVE-2022-25271","qid":"730375","title":"Drupal Core Security Update (SA-CORE-2022-003)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-25271","ASSIGNER":"security@drupal.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Drupal","product":{"product_data":[{"product_name":"Core","version":{"version_data":[{"version_value":"9.3.x","version_affected":"="},{"version_value":"9.2.x","version_affected":"="},{"version_value":"7.x","version_affected":"="}]}}]}}]}},"references":{"reference_data":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"url":"https://www.drupal.org/sa-core-2022-003","refsource":"MISC","name":"https://www.drupal.org/sa-core-2022-003"}]}},"nvd":{"publishedDate":"2022-02-16 23:15:00","lastModifiedDate":"2022-11-07 14:51:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"9.3.0","versionEndExcluding":"9.3.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"9.2.0","versionEndExcluding":"9.2.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.88","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}