Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004
Project:
Date:
2023-March-15
Security risk:
Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability:
Access bypass
Affected versions:
<7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description:
Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Solution:
Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
- If you are using Drupal 7, update to Drupal 7.95.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By:
Fixed By:
- Damien McKenna of the Drupal Security Team
- Elar Lang
- Lee Rowlands of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Jen Lampton Provisional Member of the Drupal Security Team
- Nate Lampton
- Greg Knaddison of the Drupal Security Team