Network Security, Patch/Configuration Management, Vulnerability Management

Drupal patches two critical vulnerabilities

The Drupal Security Team issued updates for a pair of critical flaws, one allowing remote code execution and another giving access to parts of the system without full administrative permissions.

The first critical issue is cross-site scripting exceptions that would allow an attacker, who created a specially crafted URL, to execute arbitrary code in a victim's browser. This vulnerability existed because Drupal was not properly sanitizing an exception. The second would allow non-authorized personnel to download a full config report, which should normally be limited to only those with export configuration permission.

A less critical problem was also patched, stopping users who only have rights to edit a node from being able to set the visibility of comments for that node.

The updates are listed under advisory DRUPAL-SA-CORE-2016-004. The vulnerabilities affect Drupal version 8.x and are patched by upgrading to version 8.1.10.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.