Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal Security Updates Patch Five Vulnerabilities

The developers of Drupal, the open source content management system (CMS) currently used by more than 1.1 million websites, have address several security issues with the release of versions 7.39 and 6.37.

The developers of Drupal, the open source content management system (CMS) currently used by more than 1.1 million websites, have address several security issues with the release of versions 7.39 and 6.37.

The security advisory published on Wednesday by Drupal reveals that version 7 is affected by a cross-site scripting (XSS) vulnerability that can be exploited to launch attacks by invoking Drupal.ajax() on a whitelisted HTML element.

The flaw does not affect Drupal 6 and it cannot be exploited on websites that prevent untrusted users from entering HTML. The issue has been addressed by getting the Ajax system to validate URLs before an Ajax request is made.

A different XSS vulnerability, affecting both Drupal 6 and 7, exists in the autocomplete functionality of forms because the requested URL is not sanitized properly. This security hole can only be exploited by a malicious user that is allowed to upload files.

“For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs,” Drupal explained.

Drupal developers warn that version 7 of the CMS is plagued by a SQL injection vulnerability that allows an attacker with elevated privileges to inject malicious code in SQL comments. The flaw, found in the SQL comment filtering system, can only be exploited on one contributed module.

Drupal 7.39 and 6.37 also address a cross-site request forgery (CSRF) vulnerability affecting the form API. The weakness allows a malicious user to upload files to vulnerable websites under another user’s account. Developers have pointed out that files uploaded by attackers are only temporary, which means that they are deleted automatically after 6 hours.

“When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor,” Drupal said in the release notes.

Advertisement. Scroll to continue reading.

The last vulnerability patched in Drupal 6 and 7 is an information disclosure issue related to menu links.

“Users without the ‘access content’ permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to,” reads Drupal’s advisory.

The vulnerabilities affect Drupal core 6.x versions prior to 6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be assigned to these vulnerabilities.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.