Incident Response, TDR, Vulnerability Management

Drupal 6.37 and 7.39 released, critical vulnerabilities addressed

Open source content management (CMS) platform Drupal has issued security patches to address several critical vulnerabilities affecting Drupal 6 and 7.

 

According to the Wednesday advisory, versions of Drupal prior to 6.37 and 7.39 contain three vulnerabilities, including a cross-site scripting bug in the Autocomplete system, a cross-site request forgery bug in Form API, and an information disclosure flaw in Access system.

 

The cross-site forgery vulnerability located in Form API “could allow a malicious user to upload files to the site under another user's account,” the advisory said.

 

Vulnerable versions of Drupal 7 are affected by two additional issues, including a cross-site scripting bug in the Ajax system and a SQL injection vulnerability in Database API.

 

The SQL injection vulnerability can enable a “user with elevated permissions to inject malicious code in SQL comments,” the advisory said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.