Drupal this week issued a series of security releases to fix four "moderately critical" vulnerabilities, three related to the content management system's Symfony PHP web application framework and a fourth involving the jQuery project JavaScript library.

The three Symfony issues consist of:

  • A cross-site scripting bug caused by the failure of validation messages in the PHP templating engine to escape (CVE-2019-10909)
  • A remote code execution vulnerability due to service IDs derived from unfiltered user input
  • A flaw potentially allowing attackers to modify the remember me cookie and authenticate as a different user.

These three problems, reported by PHP researcher Michael Cullum, were patched in Symfony itself, and repairs are also found in the newly released Drupal versions 8.6.15 and 8.5.15.

The same two new Drupal versions, plus also Drupal 7.66, have a fix for a cross-site scripting vulnerability that researchers "dtv_rb" and "Jess" found in the jQuery project prior to its newest release, version 3.4.0.