Home Hacking News Drupal Patched Critical RCE Vulnerabilities In Drupal 7 and 8

Drupal Patched Critical RCE Vulnerabilities In Drupal 7 and 8

by Abeerah Hashim
Drupal flaws patched

When it comes to web CMS, after WordPress, one of the first names that strikes our mind is usually Drupal. In fact, Drupal has succeeded in establishing itself as a more secure platform when compared to WordPress and Joomla. Striving to maintain this reputation, Drupal seems to work actively in fixing various security flaws in its system. Recently, the developers at Drupal patched critical RCE vulnerabilities in two of its CMs versions, alongside a few moderately severe bugs.

Drupal Patched Critical RCE Vulnerabilities

Recently, Drupal has published a security advisory explaining about multiple bugs that it fixed together. As stated, the developers’ team at Drupal patched critical RCE vulnerabilities along with a few moderately critical flaws that affected Drupal 7 and Drupal 8. Precisely, they have patched two remote code execution vulnerabilities, and three moderately critical bugs.

From the two RCE flaws, one of them is the “Injection in DefaultMailSystem::mail()” – a remote code execution bug in the mail backend affecting Drupal 7 and Drupal 8. Describing it in their advisory, Drupal stated,

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Whereas, the other flaw – Contextual Links validation vulnerability – can also trigger remote attacks in case of Drupal 8. As explained by Drupal,

The Contextual Links module doesn’t sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.

In addition to these two critical flaws, three moderately severe flaws also received patches with this update. Two of these vulnerabilities affecting Drupal 8 include Content moderation access bypass vulnerability and the Anonymous Open Redirect vulnerability. Whereas, the last one, “External URL injection through URL aliases” affected both Drupal 7 and Drupal 8.

Users Should Update Quickly For The Patches

The developers have already released the patches for all five vulnerabilities. As recommended by the vendors, the users of Drupal 7.x should quickly upgrade to the version 7.60. Whereas, those having Drupal 8.5.x and earlier versions should upgrade to Drupal 8.5.8. Likewise, Drupal 8.6.x users should quickly update their software to version 8.6.2. Drupal recommends upgrading to the patched versions as soon in order to protect themselves against possible exploitation.

Let us know your thoughts in the comments below.

You may also like