Drupal Releases Security Updates

ronjor · Jun 21, 2017

Original release date: June 21, 2017

Drupal has released an advisory to address several vulnerabilities in Drupal versions 7.x and 8.x. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
Click to expand...

ronjor · Feb 21, 2018

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Description:
This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.
Click to expand...

Minimalist · Mar 22, 2018

Drupal Forewarns ‘Highly Critical’ Bug to be Patched Next Week

Drupal developers are being asked to give themselves extra time next week to fix a “highly critical” flaw in Drupal 7 and 8 core.

In an advisory sent to developers on Wednesday, Drupal notified them that, “there will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC.” The security advisory did not identify the bug, only describing it as a “highly critical security vulnerability.”
Click to expand...

https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week

Minimalist · Mar 28, 2018

Anyone running a website built with Drupal should stop whatever they are doing right now and install critical security patches.

The company has put out an urgent security patch and warned Wednesday that it has discovered a remote code execution vulnerability in "multiple subsystems" of its content management system software.

The holes could allow hackers to attack a Drupal website in a number of different ways and that "could result in the site being completely compromised." In other words, it's really bad.
Click to expand...

https://www.theregister.co.uk/2018/03/28/running_drupal_you_need_to_patch_patch_patch_right_now/

ronjor · Apr 13, 2018

Hackers Start Exploiting Drupalgeddon2 Vulnerability

By Eduard Kovacs on April 13, 2018
Attempts to exploit a recently patched vulnerability in the Drupal content management system (CMS) were spotted by researchers shortly after someone published a proof-of-concept (PoC) exploit.
Click to expand...

guest · Apr 13, 2018

Exploitation of Drupalgeddon2 Flaw Starts After Publication of PoC Code
April 13, 2018
https://www.bleepingcomputer.com/ne...n2-flaw-starts-after-publication-of-poc-code/

The exploitation of a very dangerous Drupal vulnerability has started after the publication of proof-of-concept (PoC) code.
Sucuri: Not a lot of exploitation attempts yet
"Not seeing a lot of attempts yet, just a couple from a few IP addresses," Daniel Cid, VP of Engineering at GoDaddy and CTO/Founder of Sucuri told Bleeping Computer in a private conversation last night.

The Druppalgeddon2 vulnerability (CVE-2018-7600) allows an attacker to run any code he desires against one of the CMS' core components, effectively taking over a site. See Check Point and Dofinity's explanation below:
No site takeovers yet. Just a lot of PoC testing.
Kevin Liston, a security researcher with SANS ISC, has also detected exploitation attempts against his organization's honeypots. The commands that attackers are trying to run via the PoC are currently harmless, and none are attempting to take over the underlying server
Click to expand...

ronjor · Apr 18, 2018

Date: 2018-April-18

Project: Drupal core
Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD
Vulnerability: Cross Site Scripting
Description:
CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).
Click to expand...

ronjor · Apr 24, 2018

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Posted by Drupal Security Team on 23 Apr 2018 at 16:27 UTC

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.
Click to expand...

ronjor · Apr 25, 2018

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

Project: Drupal core
Date: 2018-April-25
Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
Vulnerability: Remote Code Execution
Click to expand...

guest · Apr 26, 2018

Hackers Don't Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within Hours
April 25, 2018
https://www.bleepingcomputer.com/ne...tart-exploiting-new-drupal-flaw-within-hours/

Five hours after the Drupal team published a security update for the Drupal CMS, hackers have found a way to weaponize the patched vulnerability, and are actively exploiting it in the wild.

This vulnerability should not be confused with Drupalgeddon 2 (CVE-2018-7600), another Drupal CMS security issue patched last month, which is also heavily exploited. This issue —tracked as CVE-2018-7602— was patched today.

Unlike the Drupalgeddon 2 case, where hackers started exploiting it after two weeks, this time around, they started exploiting CVE-2018-7602 right away. The Drupal Security Team reported detecting attacks five hours after releasing a patch.
Drupal team suspected CVE-2018-7602 would cause problems
The Drupal team was aware that this flaw could have serious repercussions, and issued a PSA on Monday about today's upcoming patch.
CVE-2018-7602 is Drupalgeddon2's offspring
The flaw they are exploiting is a remote code execution (RCE) bug that affects both Drupal 7.x and 8.x versions. The vulnerability is rated 20 out of 25 on Drupal's own severity scale, meaning it can give attackers complete control over an attacked site.
Click to expand...

guest · Jun 5, 2018

mood said: ↑

Exploitation of Drupalgeddon2 Flaw Starts After Publication of PoC Code
April 13, 2018
https://www.bleepingcomputer.com/ne...n2-flaw-starts-after-publication-of-poc-code/
Click to expand...

Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.
June 5, 2018
https://securityaffairs.co/wordpress/73219/hacking/drupalgeddon2-vulnerable-sites.html

In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.
The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.
According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.
Click to expand...

ronjor · Jun 8, 2018

Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2

By Eduard Kovacs on June 08, 2018
The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.
Click to expand...

ronjor · Aug 2, 2018

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

Advisory ID: SA-CORE-2018-005
Project: Drupal core
Version: 8.x
CVE: CVE-2018-14773
Date: 2018-August-01
Click to expand...

ronjor · Oct 18, 2018

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Posted by Drupal Security Team on 17 Oct 2018 at 16:42 UTC

Advisory ID: DRUPAL-SA-CORE-2018-006
Project: Drupal core
Version: 7.x, 8.x
Date: 2018-October-17
Click to expand...

ronjor · Jan 17, 2019

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Date: 2019-January-16
Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E: Proof/TD:Uncommon
Vulnerability: Third Party Libraries
Click to expand...

ronjor · Jan 17, 2019

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 2019-January-16
Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Arbitrary PHP code execution
Description: A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
Click to expand...

guest · Feb 20, 2019

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
February 20, 2019
https://www.drupal.org/sa-core-2019-003

Date: 2019-February-20
Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: Remote Code Execution
CVE IDs: CVE-2019-6340
Description: Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Click to expand...

guest · Feb 26, 2019

Recently disclosed Drupal CVE-2019-6340 RCE flaw exploited in the wild
February 26, 2019
https://securityaffairs.co/wordpress/81684/breaking-news/drupal-vulnerability-cve-2019-6340.html

Last week, Drupal core team released security updates that address a “highly critical” remote code execution vulnerability.
Cybersecurity experts at Imperva observed hundreds of attacks against its customers exploiting the CVE-2019-6340 flaw on February 23. The attacks were carried out by multiple threat actors from several countries.

Hackers used a few payloads in the recent wave of attacks, one of the payloads observed by Imperva attempts to inject a Javascript cryptocurrency (Monero and Webchain) miner named CoinIMP into the index.php file of the compromised website. This causes all visitors will run the malicious script when visiting the homepage.
Click to expand...

ronjor · Mar 20, 2019

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Project: Drupal core
Date: 2019-March-20
Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD: Default
Vulnerability: Cross Site Scripting
Description: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Click to expand...

ronjor · Apr 18, 2019

Drupal Releases Security Updates

Original release date: April 17, 2019
Drupal has released security updates to address multiple vulnerabilities in Drupal Core. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal’s security advisories SA-CORE-2019-005 and SA-CORE-2019-006 and apply the necessary updates.
Click to expand...

guest · May 9, 2019

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007
May 8, 2019
https://www.drupal.org/sa-core-2019-007

Date: 2019-May-08
Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: Third-party libraries
CVE IDs: CVE-2019-11831
Description: This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor: [...]
Click to expand...

guest · Jul 17, 2019

Drupal Releases Security Update
July 17, 2019
https://www.us-cert.gov/ncas/current-activity/2019/07/17/drupal-releases-security-update

Drupal has released a security update to address a vulnerability in Drupal Core. An attacker could exploit this vulnerability to take control of an affected website.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal’s security advisory SA-CORE-2019-008 and apply the necessary update.
Click to expand...

guest · Dec 19, 2019

Drupal Security Updates (December 18, 2019)

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

Date: 2019-December-18
Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon
Vulnerability: Multiple vulnerabilities
Description: The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations.
Click to expand...

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

Date: 2019-December-18
Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass
Description: The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.
Click to expand...

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Date: 2019-December-18
Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default
Vulnerability: Multiple vulnerabilities
Description: Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.
Click to expand...

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

Date: 2019-December-18
Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All
Vulnerability: Denial of Service
Description: A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.
Click to expand...

guest · Mar 18, 2020

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
March 18, 2020
https://www.drupal.org/sa-core-2020-001

Date: 2020-March-18
Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default
Vulnerability: Third-party library
Description: The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities. [...]
Click to expand...

guest · May 21, 2020

Drupal Security Updates (May 20, 2020)

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Date: 2020-May-20
Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Cross Site Scripting
Description: The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.
Those advisories are:
• CVE-2020-11022
• CVE-2020-11023 [...]
Click to expand...

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Date: 2020-May-20
Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
Vulnerability: Open Redirect
Description: Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
Other versions of Drupal core are not vulnerable.
Click to expand...

Log in or Sign up

Drupal Releases Security Updates

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Drupal Releases Security Updates

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches