The Drupal security team has released a “moderately critical” advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites.
The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services.
“These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites,” according to a Drupal advisory.
“We are issuing this security advisory outside our regular security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests,” it added.
Guzzle has rated these vulnerabilities as high-risk and Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites.
“Exploitation of this vulnerability could allow a remote attacker to take control of an affected website,” the team warned.
The security team recommends its users install the latest versions (Drupal 9.2 through Drupal 9.4). It’s important to note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.