Network Security, Patch/Configuration Management, Vulnerability Management

Drupal releases correct four moderately critical third-party vulnerabilities

Drupal this week issued a series of security releases to fix four "moderately critical" vulnerabilities, three related to the content management system's Symfony PHP web application framework and a fourth involving the jQuery project JavaScript library.

The three Symfony issues consist of:

  • A cross-site scripting bug caused by the failure of validation messages in the PHP templating engine to escape (CVE-2019-10909)
  • A remote code execution vulnerability due to service IDs derived from unfiltered user input
  • A flaw potentially allowing attackers to modify the remember me cookie and authenticate as a different user.

These three problems, reported by PHP researcher Michael Cullum, were patched in Symfony itself, and repairs are also found in the newly released Drupal versions 8.6.15 and 8.5.15.

The same two new Drupal versions, plus also Drupal 7.66, have a fix for a cross-site scripting vulnerability that researchers "dtv_rb" and "Jess" found in the jQuery project prior to its newest release, version 3.4.0.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.