Drupal has Released a Security Update for Multiple Vulnerabilities

PUBLISHED:
30 November 2018

Drupal has Released a Security Update for Multiple Vulnerabilities


Set of remote code execution vulnerabilities and other critical vulnerabilities have been discovered within multiple subsystems of Drupal 7.x and Drupal 8.x core. This will potentially allow attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerabilities, website owners should expect possible exploits to be developed and utilized maliciously. Hence, application of the now-released fix is highly recommended.

List of Vulnerabilities Discovered

  • Content moderation – Moderately critical – Access bypass – Drupal 8
  • External URL injection through URL aliases – Moderately Critical – Open Redirect – Drupal 7 and Drupal 8
  • Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal 8
  • Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – Drupal 7 and Drupal 8
  • Contextual Links validation – Critical – Remote Code Execution – Drupal 8

Affected Systems:

Drupal 8 and 7 are affected.

Recommended Action:

TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.

Additional Information:

21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN