Drupal Patches Critical Vulnerabilities in Core Engine of 8.x Versions

The open source content management system Drupal has released security advisory announcing the patch of critical and less critical vulnerabilities affecting their core engine. Vulnerabilities were patched on Wednesday, and two of them hide critical risk.

Users who use Drupal to build and manage their websites and content should upgrade the software to version 8.1.10. as all 8.x releases of the software are affected.

Details About the Latest Drupal Patch

The first vulnerability rated as critical concerns the cross-site scripting (XXS) in http exceptions. Exception handling controls the extraordinary computation conditions that could disturb the normal execution of a program. The XXS flaw could affect users through their browsers. The attack will be successful if the targeted user accesses a specially crafted URL. In other words, the vulnerability opens a whole to attackers that allows them to execute arbitrary code in victim’s browser.

The other vulnerability rated critical is given the following descriptive name by Drupal security team:

“Full config export can be downloaded without administrative permissions”

It is related to Drupal’s feature that authorizes users to export the configuration of their sites to a file. In the normal case, this option should be available only for users that have the administrative privileges. The flaw makes the download of the full site configuration possible even for users that don’t have the “Export configuration permission”.

The third vulnerability is rated less critical affects the permissions for the administration of comments on a Drupal site. The restriction bypass issue has common with the visibility of comments on the nodes. Only users who have the “administer commentspermissions can set the visibility of the comments. Experts discovered that users who have the rights to edit a node could set the visibility on comments for that node. This option should be available only to those who have the right permissions for doing this.

The patched vulnerabilities have no CVE identifiers yet, but soon we could expect the issues to be assigned to the list. Quintus Maximus, Ivan, Kier Heyl and Anton Shubkin have reported these issues to Drupal developers. More information about the fixes and their discoverers could find in the latest Drupal’s security advisory.

There is a real risk of hack attacks to sites that have unpatched CMS vulnerabilities. Website admins should pay attention to this news and apply the security updates as soon as possible.

This patch is the second that fixes critical vulnerabilities in Drupal core for this year. The total number of the released patches by the company this year is five. The previous patch was released in July and extirpated highly critical remote code execution vulnerabilities.

Gergana Ivanova

Author : Gergana Ivanova

Gergana Ivanova is computer security enthusiast who enjoys presenting the latest issues related to cyber security.


Related Posts