Select Page

Drupal, the popular open-source content management system, has released security updates to address multiple “moderately critical” vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites.

According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in third-party libraries that are included in Drupal 8.6, Drupal 8.5 or earlier and Drupal 7.

One of the security flaws is a cross-site scripting (XSS) vulnerability that resides in a third-party plugin, called JQuery, the most popular JavaScript library that is being used by millions of websites and also comes pre-integrated in Drupal Core.

Last week, JQuery released its latest version jQuery 3.4.0 to patch the reported vulnerability, which has not yet assigned a CVE number, that affects all prior versions of the library to that date.

“jQuery 3.4.0 includes a fix for some unintended behaviour when using jQuery.extend(true, {}, …). If an unsanitised source object contained an enumerable __proto__ property, it could extend the native Object.prototype,” the advisory explains.

“It’s possible that this vulnerability is exploitable with some Drupal modules.”

The rest three security vulnerabilities reside in Symfony PHP components used by Drupal Core that could result in cross-site scripting (CVE-2019-10909), remote code execution (CVE-2019-10910) and authentication bypass (CVE-2019-1091) attacks.

Considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update of the CMS as soon as possible:

  • If you are using Drupal 8.6, update to Drupal 8.6.15.
  • If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
  • If you are using Drupal 7, update to Drupal 7.66.

Almost two months ago, Drupal maintainers patched a critical RCE vulnerability in Drupal Core without releasing any technical details of the flaw that could have allowed remote attackers to hack its customers’ website.

images from Hacker News