Drupal Patched Critical RCE Vulnerabilities In Drupal 7 and 8

  • 115
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    115
    Shares

When it comes to web CMS, after WordPress, one of the first names that strikes our mind is usually Drupal. In fact, Drupal has succeeded in establishing itself as a more secure platform when compared to WordPress and Joomla. Striving to maintain this reputation, Drupal seems to work actively in fixing various security flaws in its system. Recently, the developers at Drupal patched critical RCE vulnerabilities in two of its CMs versions, alongside a few moderately severe bugs.

Drupal Patched Critical RCE Vulnerabilities

Recently, Drupal has published a security advisory explaining about multiple bugs that it fixed together. As stated, the developers’ team at Drupal patched critical RCE vulnerabilities along with a few moderately critical flaws that affected Drupal 7 and Drupal 8. Precisely, they have patched two remote code execution vulnerabilities, and three moderately critical bugs.

From the two RCE flaws, one of them is the “Injection in DefaultMailSystem::mail()” – a remote code execution bug in the mail backend affecting Drupal 7 and Drupal 8. Describing it in their advisory, Drupal stated,

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Whereas, the other flaw – Contextual Links validation vulnerability – can also trigger remote attacks in case of Drupal 8. As explained by Drupal,

The Contextual Links module doesn’t sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.

In addition to these two critical flaws, three moderately severe flaws also received patches with this update. Two of these vulnerabilities affecting Drupal 8 include Content moderation access bypass vulnerability and the Anonymous Open Redirect vulnerability. Whereas, the last one, “External URL injection through URL aliases” affected both Drupal 7 and Drupal 8.

Users Should Update Quickly For The Patches

The developers have already released the patches for all five vulnerabilities. As recommended by the vendors, the users of Drupal 7.x should quickly upgrade to the version 7.60. Whereas, those having Drupal 8.5.x and earlier versions should upgrade to Drupal 8.5.8. Likewise, Drupal 8.6.x users should quickly update their software to version 8.6.2. Drupal recommends upgrading to the patched versions as soon in order to protect themselves against possible exploitation.

Let us know your thoughts in the comments below.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Leave a Reply

Do NOT follow this link or you will be banned from the site!