Patch/Configuration Management, Vulnerability Management

Drupal, Google and Cisco post security advisories


Batches of security advisories were rolled out by Drupal, Google and Cisco yesterday addressing a host of critical-rated issues for their products.

Drupal addressed a critical vulnerability affecting Drupal 8.7 and 8.8. The issue is a Cross Site Scripting vulnerability in third-party libraries. An attacker that can create or edit content may be able to exploit this Cross Site Scripting vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.

The organization recommends updating to versions 8.7.12 and 8.8.4, respectively, to obtain the proper patches. If updating is not possible it is suggested to disable the CKEditor module until the update can be accomplished.

Cisco fixed six vulnerabilities in its Cisco SD-WAN cloud scale architecture. The three rated, which are all due to insufficient input validation as potentially having a high impact are:

  • CVE-2020-3265 is a solution privilege escalation could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system.
  • CVE-2020-3265 is a solution command injection vulnerability that if exploited could let a local attacker inject arbitrary commands with root privileges.
  • CVE-2020-3264 can be exploited by sending specially crafted traffic to an affected device giving the attacker access to information and allowing this person to make changes to the system that they are not authorized to make.

Google issued 13 updates, all rated high, to its Chome Stable Channel with many focusing on use after free issues.

Four, CVE-2020-6449, CVE-2020-6429, CVE-2020-6428 and CVE-2020-6427 centered use after free audio flaw. CVE-2020-6422 and CVE-2020-6424 were use after free WebGL and use after free media.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.