New versions of Drupal - 7.60 and 8.6.2, elimination of found vulnerabilities SA-CORE-2018-006
Over time, any system may contain vulnerabilities found that were previously unknown. As practice shows, even the most secure system contains hidden security threats - the only question is the difficulty of finding them.
The Drupal system was no exception, new vulnerabilities were discovered in it. new versions of Drupal - 7.60 and 8.6.2 are already available to fix them. They fix multiple security threats, the system developers recommend installing these updates as soon as possible.
What's new in these versions of Drupal ? According to the information on the official website, only security threats were fixed in these versions. Accordingly, no innovations have been added.
What new vulnerabilities have been found in Drupal ? Below is a list of threats in Drupal versions prior to 7.60 and 8.6.2:
- Content moderation - Moderately critical - Access bypass - Drupal 8
Moderately critical threat in Drupal 8, which allows the user to get illegal access while working with content;
- External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
A moderately critical threat in Drupal 7 and Drupal 8 that allows external URL injection through aliases URL addresses, as a result of which links to malicious sites may be added to the site;
- Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
Moderately critical threat in Drupal 8, which is as follows: in CMS Drupal, when working with a page and switching to another, the return path can be specified in the address parameters. This path can be changed to a malicious address, as a result of which a transition will be made to a site that may look similar to the original one. Because of this, passwords and other information can be stolen, since usually such a site will display forms for allegedly re-authorization;
- Injection in DefaultMailSystem :: mail () - Critical - Remote Code Execution - Drupal 7 and Drupal 8
Critical threat in Drupal 7 and Drupal 8, which consists in sending e-mail, some data is not validated, which can lead to remote code execution;
- Contextual Links validation - Critical - Remote Code Execution - Drupal 8
Critical threat in Drupal 8, which is that the contextual links module does not validate the requested context links insufficiently, due to which remote code execution is possible.
As you can see, the found new Drupal vulnerabilities are quite serious, therefore it is recommended install the proposed updates as soon as possible.
- 09.07.22IT / Misc Convert office files DOC, DOCX, DOCM, RTF to DOCX, DOCM, DOC, RTF, PDF, HTML, XML, TXT formats without loss and markup changes
- 07.07.22IT / Safety How to protect PHP, JS, HTML, CSS source code - obfuscation, minification, compression and encryption
- 06.07.22IT / Safety Connection not secure, problem with Lets Encrypt - how to fix expired 09/30/2021 DST Root CA X3, remove it manually and install ISRG Root X1. Example on MS Windows 7
- 08.07.21IT / Misc How to make a free translation for a website without an API, translate documents in Google Translate
- 06.07.21IT / Misc How to make a subscription button on a website, a subscriber base and automatic mailing