Drupal patches two critical vulnerabilities

Drupal today fixed two critical, and one one not-so-critical, vulnerabilities.
Drupal today fixed two critical, and one one not-so-critical, vulnerabilities.

The Drupal Security Team issued updates for a pair of critical flaws, one allowing remote code execution and another giving access to parts of the system without full administrative permissions.

The first critical issue is cross-site scripting exceptions that would allow an attacker, who created a specially crafted URL, to execute arbitrary code in a victim's browser. This vulnerability existed because Drupal was not properly sanitizing an exception. The second would allow non-authorized personnel to download a full config report, which should normally be limited to only those with export configuration permission.

A less critical problem was also patched, stopping users who only have rights to edit a node from being able to set the visibility of comments for that node.

The updates are listed under advisory DRUPAL-SA-CORE-2016-004. The vulnerabilities affect Drupal version 8.x and are patched by upgrading to version 8.1.10.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS