Drupal 6.37 and 7.39 released, critical vulnerabilities addressed

Drupal 6.37 and 7.39 released, critical vulnerabilities addressed
Drupal 6.37 and 7.39 released, critical vulnerabilities addressed

Open source content management (CMS) platform Drupal has issued security patches to address several critical vulnerabilities affecting Drupal 6 and 7.

 

According to the Wednesday advisory, versions of Drupal prior to 6.37 and 7.39 contain three vulnerabilities, including a cross-site scripting bug in the Autocomplete system, a cross-site request forgery bug in Form API, and an information disclosure flaw in Access system.

 

The cross-site forgery vulnerability located in Form API “could allow a malicious user to upload files to the site under another user's account,” the advisory said.

 

Vulnerable versions of Drupal 7 are affected by two additional issues, including a cross-site scripting bug in the Ajax system and a SQL injection vulnerability in Database API.

 

The SQL injection vulnerability can enable a “user with elevated permissions to inject malicious code in SQL comments,” the advisory said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS