New versions of Drupal - 7.60 and 8.6.2, elimination of found vulnerabilities SA-CORE-2018-006
Over time, any system may contain vulnerabilities found that were previously unknown. As practice shows, even the most secure system contains hidden security threats - the only question is the difficulty of finding them.
The Drupal system was no exception, new vulnerabilities were discovered in it. new versions of Drupal - 7.60 and 8.6.2 are already available to fix them. They fix multiple security threats, the system developers recommend installing these updates as soon as possible.
What's new in these versions of Drupal ? According to the information on the official website, only security threats were fixed in these versions. Accordingly, no innovations have been added.
What new vulnerabilities have been found in Drupal ? Below is a list of threats in Drupal versions prior to 7.60 and 8.6.2:
- Content moderation - Moderately critical - Access bypass - Drupal 8
Moderately critical threat in Drupal 8, which allows the user to get illegal access while working with content;
li> - External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
A moderately critical threat in Drupal 7 and Drupal 8 that allows external URL injection through aliases URL addresses, as a result of which links to malicious sites may be added to the site;
- Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
Moderately critical threat in Drupal 8, which is as follows: in CMS Drupal, when working with a page and switching to another, the return path can be specified in the address parameters. This path can be changed to a malicious address, as a result of which a transition will be made to a site that may look similar to the original one. Because of this, passwords and other information can be stolen, since usually such a site will display forms for allegedly re-authorization;
- Injection in DefaultMailSystem :: mail () - Critical - Remote Code Execution - Drupal 7 and Drupal 8
Critical threat in Drupal 7 and Drupal 8, which consists in sending e-mail, some data is not validated, which can lead to remote code execution;
- Contextual Links validation - Critical - Remote Code Execution - Drupal 8
Critical threat in Drupal 8, which is that the contextual links module does not validate the requested context links insufficiently, due to which remote code execution is possible.
As you can see, the found new Drupal vulnerabilities are quite serious, therefore it is recommended install the proposed updates as soon as possible.
Latest articles
- 03.04.24IT / Уроки PHP Уроки простыми словами. Урок 3. Все операторы PHP с примерами, с выводом работы кода на экран.
- 02.04.24IT / Уроки PHP Уроки простыми словами. Урок 2. Типы данных в PHP с примерами.
- 02.04.24IT / Уроки PHP Уроки простыми словами. Урок 1. Коротко о языке веб-программирования PHP. Основы синтаксиса.
- 09.11.23IT / Database Errors when migrating from MySQL 5.6 to 5.7 and how to fix them - database dump import failed with an error or INSERT does not work. Disabling STRICT_TRANS_TABLES strict mode or using IGNORE
- 08.07.22IT / Misc Convert office files DOC, DOCX, DOCM, RTF to DOCX, DOCM, DOC, RTF, PDF, HTML, XML, TXT formats without loss and markup changes