Drupal patches critical CMS vulnerabilities

The bugs include incorrect code handling and access bypass security flaws.

Drupal has patched multiple vulnerabilities in the CMS platform, some of which are deemed critical.

Earlier this week, the open-source content management system (CMS) provider issued a security advisory detailing a series of bugs which have now been resolved.

The vulnerabilities impact version 7 of the platform, alongside Drupal 8 up to version 8.4.

The first critical vulnerability, impacting Drupal 8, permits users with the permission to post comments to view content and commentary they should not have access to, as well as add comments to this content.

The second critical security flaw, which affects both versions, involves an incomplete JavaScript function which does not correctly handle the injection of malicious HTML and code.

If exploited, this could lead to cross-site scripting errors under certain circumstances.

Two other vulnerabilities, discovered in Drupal version 7, have been deemed moderately critical and have been resolved in this security update. The first bug is an access bypass problem when users request access to files under certain conditions, and the second problem is a jQuery cross-site scripting vulnerability which occurs when Ajax requests are made to untrusted domains.

The second flaw was fixed in Drupal 8.4.0 and the current Drupal 7.57 release for jQuery 1.4.4, which shipped with Drupal 7 core.

See also: Drupal patches critical access bypass flaw in engine core

Another security issue resolved in this update on the Drupal version 8 platform occurs when node access controls interact with a multilingual website. Untranslated versions of the node are marked as the default fallback, but when this is used for languages without a translated version of the node, this can result in access bypass problems.

Another bug in Drupal version 8 was discovered in the Settings Tray module. The security flaw allows users to update select data which they do not have the correct permissions for.

This issue can be mitigated, however, by disabling the module.

The final bug, considered to be of a lower risk than any of the other problems patched in this update, allows attackers to trick visitors of a Drupal 7 domain into visiting an external site.

In order to resolve these issues, Drupal asks that users update immediately. Version 7 should be updated to Drupal 7.57, and version 8 must be updated to Drupal 8.4.5.

In August, Drupal patched a series of critical vulnerabilities which impacted the platform's core engine. The most severe security flaw was an access bypass issue which allowed attackers to view, create, update, or delete entities in the Drupal access system.

Previous and related coverage