Drupal has Released a Security Update for Multiple Vulnerabilities

PUBLISHED:
30 November 2018

Drupal has Released a Security Update for Multiple Vulnerabilities


Set of remote code execution vulnerabilities and other critical vulnerabilities have been discovered within multiple subsystems of Drupal 7.x and Drupal 8.x core. This will potentially allow attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerabilities, website owners should expect possible exploits to be developed and utilized maliciously. Hence, application of the now-released fix is highly recommended.

List of Vulnerabilities Discovered

  • Content moderation – Moderately critical – Access bypass – Drupal 8
  • External URL injection through URL aliases – Moderately Critical – Open Redirect – Drupal 7 and Drupal 8
  • Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal 8
  • Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – Drupal 7 and Drupal 8
  • Contextual Links validation – Critical – Remote Code Execution – Drupal 8

Affected Systems:

Drupal 8 and 7 are affected.

Recommended Action:

TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.

Additional Information:

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN