Vulnerability Bulletins

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

System information

Affected software Drupal


Project: Drupal coreDate: 2022-July-20Security risk: Critical 15∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: >= 8.0.0 = 9.4.0 CVE IDs: CVE-2022-25277Description: Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent

More info:

Standar resources

Property Value
CVE CVE-2022-25277.

Version history

Version Comments Date
1.0 Advisory issued 2022-08-22
Ministerio de Defensa