Multiple vulnerabilities found in Drupal core – SA-CORE-2022-016

Alert Severity: Critical

Issue Date: 2022-09-28

CVE(s): CVE-2022-39261

Impacted Products and Versions: Drupal Core versions >8.0.0, <9.3.22, >=9.4.0, <9.4.7

Description:

Multiple vulnerabilities found in Drupal Core’s code extending Twig. Untrusted user can access to write Twig code and can read private files or database credentials.

Mitigation:

Upgrade Drupal 9.4 to Drupal 9.4.7

Upgrade Drupal 9.3 to Drupal 9.3.22

Versions before 9.3.x are end of life, no support is available for versions below 9.3