Drupal patches multiple security flaws in core engine

One of the critical vulnerabilities allows attackers to remotely execute malicious code.
Written by Charlie Osborne, Contributing Writer on

Drupal has issued a security update which resolves three security flaws, two of which are deemed critical.

Earlier this week, the open-source website content management system (CMS) released a security advisory detailing the latest security issues which have been both discovered and fixed.


The three vulnerabilities, assigned as SA-CORE-2016-004, affect versions 8.x of the CMS and users are now advised to upgrade to Drupal 8.1.10.

The first bug, considered the least dangerous of the three, is a problem which allows users without admin rights to set comment visibility on nodes they have rights to edit. By default, these user accounts should not be able to made these changes.

The second vulnerability, deemed critical, is a cross-site scripting flaw found within HTTP exceptions. According to Drupal, attackers could exploit the vulnerability to create specifically crafted URLs which can execute arbitrary code on a victim's browser if loaded. The problem surfaced as the Drupal CMS lacked proper sanitization capabilities for some HTTP exceptions.

The third security flaw is another critical issue which granted attackers the ability to download full Drupal configuration reports without permission.

"The system.temporary route would allow the download of a full config export," Drupal said. "The full config export should be limited to those with Export configuration permission."

CVE identifiers have been requested.

In July, Drupal patched a critical remote execution flaw discovered within vulnerable backend website modules used to create REST APIs.

Free ways to learn about IT, security and hacking online

Editorial standards