The bugs include incorrect code handling and access bypass security flaws.
Drupal has patched multiple vulnerabilities in the CMS platform, some of which are deemed critical.
MORE SECURITY NEWS
- Poor smart contract coding exposes millions of dollars in Ethereum
- US border officials haven’t properly verified visitor passports for more than a decade
- Hackers are selling legitimate code-signing certificates to evade malware detection
- Lack of funding exposes US federal agencies to high data breach risks
Earlier this week, the open-source content management system (CMS) provider issued a security advisory detailing a series of bugs which have now been resolved.
The vulnerabilities impact version 7 of the platform, alongside Drupal 8 up to version 8.4.
The first critical vulnerability, impacting Drupal 8, permits users with the permission to post comments to view content and commentary they should not have access to, as well as add comments to this content.
If exploited, this could lead to cross-site scripting errors under certain circumstances.
Two other vulnerabilities, discovered in Drupal version 7, have been deemed moderately critical and have been resolved in this security update. The first bug is an access bypass problem when users request access to files under certain conditions, and the second problem is a jQuery cross-site scripting vulnerability which occurs when Ajax requests are made to untrusted domains.
With so many data protection providers competing for your business, how do you determine which is the right one for you? Download our helpful selection guide for a clear step-by-step process that will help you choose a data protection provider with confidence.
The second flaw was fixed in Drupal 8.4.0 and the current Drupal 7.57 release for jQuery 1.4.4, which shipped with Drupal 7 core.
Another security issue resolved in this update on the Drupal version 8 platform occurs when node access controls interact with a multilingual website. Untranslated versions of the node are marked as the default fallback, but when this is used for languages without a translated version of the node, this can result in access bypass problems.
Another bug in Drupal version 8 was discovered in the Settings Tray module. The security flaw allows users to update select data which they do not have the correct permissions for.
This issue can be mitigated, however, by disabling the module.
The final bug, considered to be of a lower risk than any of the other problems patched in this update, allows attackers to trick visitors of a Drupal 7 domain into visiting an external site.
In August, Drupal patched a series of critical vulnerabilities which impacted the platform’s core engine. The most severe security flaw was an access bypass issue which allowed attackers to view, create, update, or delete entities in the Drupal access system.