Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Code Execution and Other Vulnerabilities Patched in Drupal

Drupal developers have announced the release of updates that patch several vulnerabilities in the open source content management system (CMS).

Drupal developers have announced the release of updates that patch several vulnerabilities in the open source content management system (CMS).

Drupal has released four advisories that describe four types of vulnerabilities. One of them has been rated “critical” and the other three “moderately critical.” Drupal uses the NIST Common Misuse Scoring System to rate vulnerabilities — instead of CVSS — with flaws being rated “less critical,” “moderately critical,” “critical” and “highly critical.”

The “critical” vulnerability, tracked as CVE-2022-25277, affects Drupal 9.3 and 9.4. The issue impacts the Drupal core and it can lead to arbitrary PHP code execution on Apache web servers by uploading specially crafted files.

Drupal developers pointed out that only Apache web servers are impacted and only with specific configurations. They have advised website admins to check their server for possible signs of compromise.

The three “moderately critical” security holes also impact the Drupal core. Their exploitation can lead to cross-site scripting (XSS) attacks, information disclosure, or access bypass.

Patches for these vulnerabilities are included in Drupal 9.4.3 and 9.3.19. The information disclosure flaw also impacts Drupal 7 and a fix has been included in version 7.91.

The US Cybersecurity and Infrastructure Security Agency (CISA) has advised Drupal users to review the advisories and install the updates.

While Drupal websites are not as targeted as WordPress sites, several of the vulnerabilities found in the CMS in the past years were exploited by malicious actors, including for spam campaigns and to hack websites and deliver malware.

Advertisement. Scroll to continue reading.

Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal

Related: Drupal Patches ‘High-Risk’ Third-Party Library Flaws

Related: Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.