Vulnerability Management

Drupal patches 10 vulnerabilities in latest advisory

Drupal's security team released an advisory that details 10 vulnerabilities affecting versions 6, 7 and 8 and directs users to install the latest version of the software.

According to the Wednesday advisory, the open source content management system (CMS) was vulnerable to a “critical” Form API access bypass vulnerability in version 6 that could allow an attacker to submit input associated with buttons that only an administrator should be able to access.

The security team also patched six moderately critical vulnerabilities.

One of the moderately critical flaws was a “file upload access bypass and denial of service” issue that affected versions 7 and 8 and could allow an attacker to view, delete, or substitute a link to a file that the victim has uploaded to a form, the advisory said.

The remaining three vulnerabilities were rated “less critical” and included an issue affecting versions 7 and 8 that could allow email addresses to be matched to a user's account.

Drupal recommended that users update their systems to Drupal 6.38, 7.43, or 8.0.4.

The advisory also marks the last security patch that will be offered for Drupal 6, which has reached its end-of-life. Drupal said it is working with a few vendors that will to provide paid support for version 6 websites.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.