Drupal patches 10 vulnerabilities in latest advisory

The CMS platform Drupal patched several vulnerabilities in its latest updates.
The CMS platform Drupal patched several vulnerabilities in its latest updates.
Drupal's security team released an advisory that details 10 vulnerabilities affecting versions 6, 7 and 8 and directs users to install the latest version of the software.

According to the Wednesday advisory, the open source content management system (CMS) was vulnerable to a “critical” Form API access bypass vulnerability in version 6 that could allow an attacker to submit input associated with buttons that only an administrator should be able to access.

The security team also patched six moderately critical vulnerabilities.

One of the moderately critical flaws was a “file upload access bypass and denial of service” issue that affected versions 7 and 8 and could allow an attacker to view, delete, or substitute a link to a file that the victim has uploaded to a form, the advisory said.

The remaining three vulnerabilities were rated “less critical” and included an issue affecting versions 7 and 8 that could allow email addresses to be matched to a user's account.

Drupal recommended that users update their systems to Drupal 6.38, 7.43, or 8.0.4.

The advisory also marks the last security patch that will be offered for Drupal 6, which has reached its end-of-life. Drupal said it is working with a few vendors that will to provide paid support for version 6 websites.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS