Home>Blog>The Hacker News Headlines>Drupal Releases Core CMS Updates to Patch Several Vulnerabilities
The Hacker News Headlines

Drupal Releases Core CMS Updates to Patch Several Vulnerabilities

drupal security updates

Drupal, the popular open-source content management system, has
released security updates to address multiple “moderately critical”
vulnerabilities in Drupal Core that could allow remote attackers to
compromise the security of hundreds of thousands of websites.

According to the advisories[1]
published today by the Drupal developers, all security
vulnerabilities Drupal patched this month reside in third-party
libraries that are included in Drupal 8.6, Drupal 8.5 or earlier
and Drupal 7.

One of the security flaws is a cross-site scripting (XSS)
vulnerability that resides in a third-party plugin, called JQuery,
the most popular JavaScript library that is being used by millions
of websites and also comes pre-integrated in Drupal Core.

Last week, JQuery released its latest version jQuery 3.4.0 to
patch the reported vulnerability, which has not yet assigned a CVE
number, that affects all prior versions of the library to that
date.

“jQuery 3.4.0 includes a fix for some unintended behavior when
using jQuery.extend(true, {}, …). If an unsanitized source object
contained an enumerable __proto__ property, it could extend the
native Object.prototype,” the advisory explains.

“It’s possible that this vulnerability is exploitable with some
Drupal modules.”

The rest three security vulnerabilities reside in Symfony PHP
components used by Drupal Core that could result in cross-site
scripting (CVE-2019-10909), remote code execution (CVE-2019-10910)
and authentication bypass (CVE-2019-1091) attacks.

Considering the popularity of Drupal exploits among hackers, you
are highly recommended to install the latest update of the CMS as
soon as possible:

  • If you are using Drupal 8.6, update to Drupal 8.6.15.
  • If you are using Drupal 8.5 or earlier, update to Drupal
    8.5.15.
  • If you are using Drupal 7, update to Drupal 7.66.

Almost two months ago, Drupal maintainers patched a critical RCE
vulnerability in Drupal Core without releasing any technical
details of the flaw that could have allowed remote attackers to
hack its customers’ website.
But despite that, the proof-of-concept (PoC) exploit code for the
vulnerability was made publicly available on the Internet just two
days after the team rolled out the patched version of its software.

And then, several individuals and groups of hackers started actively
exploiting the flaw[4]
to install cryptocurrency miners on vulnerable Drupal websites that
did not update their CMSes to the latest version.

Last year, attackers also targeted hundreds of thousands of
Drupal websites in mass attacks using in the wild exploits
leveraging two separate critical remote code execution
vulnerabilities, which were dubbed Drupalgeddon2[5]
and Drupalgeddon3[6].

In those case as well, the attacks started shortly after PoC
exploit code for both the vulnerabilities was published on the
Internet, which was then followed by large-scale Internet scanning
and exploitation attempts.

Long story short—Patch your websites before it gets too
late.

[2][3]

References

  1. ^
    advisories
    (www.drupal.org)
  2. ^
    jQuery 3.4.0
    (blog.jquery.com)
  3. ^
    a critical RCE vulnerability
    (thehackernews.com)
  4. ^
    started actively exploiting the
    flaw     (thehackernews.com)
  5. ^
    Drupalgeddon2
    (thehackernews.com)
  6. ^
    Drupalgeddon3
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.