Sign in Registration
ruen

New versions of Drupal - 7.60 and 8.6.2, elimination of found vulnerabilities SA-CORE-2018-006

Over time, any system may contain vulnerabilities found that were previously unknown. As practice shows, even the most secure system contains hidden security threats - the only question is the difficulty of finding them.

drupal-new-versions-7.60-8.6.2

The Drupal system was no exception, new vulnerabilities were discovered in it. new versions of Drupal - 7.60 and 8.6.2 are already available to fix them. They fix multiple security threats, the system developers recommend installing these updates as soon as possible.

What's new in these versions of Drupal ? According to the information on the official website, only security threats were fixed in these versions. Accordingly, no innovations have been added.

What new vulnerabilities have been found in Drupal ? Below is a list of threats in Drupal versions prior to 7.60 and 8.6.2:

  • Content moderation - Moderately critical - Access bypass - Drupal 8
    Moderately critical threat in Drupal 8, which allows the user to get illegal access while working with content;

  • External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
    A moderately critical threat in Drupal 7 and Drupal 8 that allows external URL injection through aliases URL addresses, as a result of which links to malicious sites may be added to the site;

  • Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
    Moderately critical threat in Drupal 8, which is as follows: in CMS Drupal, when working with a page and switching to another, the return path can be specified in the address parameters. This path can be changed to a malicious address, as a result of which a transition will be made to a site that may look similar to the original one. Because of this, passwords and other information can be stolen, since usually such a site will display forms for allegedly re-authorization;

  • Injection in DefaultMailSystem :: mail () - Critical - Remote Code Execution - Drupal 7 and Drupal 8
    Critical threat in Drupal 7 and Drupal 8, which consists in sending e-mail, some data is not validated, which can lead to remote code execution;

  • Contextual Links validation - Critical - Remote Code Execution - Drupal 8
    Critical threat in Drupal 8, which is that the contextual links module does not validate the requested context links insufficiently, due to which remote code execution is possible.

As you can see, the found new Drupal vulnerabilities are quite serious, therefore it is recommended install the proposed updates as soon as possible.

Comments (0)
For commenting sign in or register.

Latest articles

Popular sections

Eqsash (Tools)

Android app - VK LAST USER ID, отучитель от зависимости и т.д.:
Available on Google Play

Amessage (Communication)

Login to the web version
Android app:
Available on Google Play

Share this

Subscribe to

YouTube

Books

IT notes - In simple language about the most necessary things (HTML, CSS, JavaScript, PHP, databases, Drupal, Bitrix, SEO, domains, security and more), PDF, 500 p.