Network Security, Patch/Configuration Management, Vulnerability Management

Drupal corrects four flaws in core CMS offering

Content management systems provider Drupal released a series of patches on Wednesday to address four vulnerabilities spread between Drupal core versions 7 and 8, including two errors designated as “moderately critical.”

Among the two more serious problems is a vulnerability that could expose Drupal 7 users to social engineering schemes. According to a Drupal security advisory, under certain circumstances, malicious users can “construct a URL to a confirmation form that would trick users into being redirected to a third-party website after interacting with the form.” The other moderately critical flaw is a denial-of-service vulnerability in Drupal 8's transliterate mechanism that can be exploited with a specially crafted URL.

A “less critical” vulnerability involves the inconsistent naming of access query tags in versions 7 and 8, which can result in the disclosure of taxonomy terms to unprivileged users. Also, in Drupal 8, the user password reset form “does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page,” the advisory noted.

Drupal core users can install these patches by upgrading to Drupal core 7.52 or 8.2.3.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.