Drupal plugs duo of critical security flaws in open source CMS – The Daily SwigCMS
Patch now to remedy CSRF and remote code execution bugs
Drupal has fixed a pair of critical vulnerabilities in the widely used open source content management system.
First up is a cross-site request forgery (CSRF) vulnerability (SA-CORE-2020-004) that means the Drupal core Form API fails to properly handle certain form input from cross-site requests.
The bug was identified by Samuel Mortenson of the Drupal Security Team and Dor Tumarkin, an application security team leader at Checkmarx.
If left unresolved, the security flaw could have allowed attackers to insert malicious code into an authenticated user’s Drupal page, according to Checkmarx, which has documented its discovery in a technical blog post.
“Achieved via cross-site scripting (XSS) and document object model (DOM) manipulation, the discovered API exploit was proven to affect both the latest version of Drupal (9.0), and previous versions,” the security firm added.
The critical vulnerability is resolved in Drupal 7.72, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1, respectively.
The same set of updates also address a separate critical vulnerability () involving an arbitrary PHP code execution risk.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system,” an advisory from the Drupal core development team explains.
“With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.”
Security researchers Lorenzo Grespan of Pentest and Sam Thomas are credited with discovering the PHP flaw.
Both critical updates were released on Wednesday alongside a less serious access bypass flaw ().
- Shopify (TSX:SHOP) Stock: Ready to Make $1 Million? – The Motley Fool Canada
- What WordPress Templates help you Sell more online? | South Florida Caribbean News – South Florida Caribbean News
- Shepherd Public Schools plans online and in-person learning options for the upcoming school year – The Morning Sun
- WordPress Accessibility! – coloradoboulevard.net
- Persistent WordPress User Injection – Security Boulevard