Drupal Core SQL Injection Vulnerability

A highly critical SQL injection vulnerability has been identified in Drupal Core. This issue affects versions 8.9.0 prior to 10.4.10, 10.5.0 prior to 10.5.10, 10.6.0 prior to 10.6.9, 11.0.0 prior to 11.1.10, 11.2.0 prior to 11.2.12, and 11.3.0 prior to 11.3.10. The vulnerability arises from improper sanitization of database queries, allowing attackers to send specially crafted requests that could lead to arbitrary SQL injection on sites using PostgreSQL databases. Exploitation of this vulnerability could result in information disclosure, and in some cases, privilege escalation, remote code execution, or other attacks. Notably, this vulnerability can be exploited by anonymous users.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized data access or modification, and on some sites, privilege escalation or remote code execution.

Remediation

Users are advised to update to the latest version of Drupal. For Drupal 11.3.x, update to Drupal 11.3.10; for 11.2.x, update to 11.2.12; for 11.1.x or 11.0.x, update to 11.1.10. For Drupal 10.6.x, update to 10.6.9, and for 10.5.x, update to 10.5.10. If using Drupal 9 or 8, manually apply the Drupal 9.5 or 8.9 patch for this issue.