Drupal 7 and 8 patch multiple critical vulnerabilities

News by Robert Abel

Drupal patched multiple vulnerabilities in both Drupal 7 and Drupal 8 including a comment reply form flaw that allows access to restricted content and an incomplete JavaScript cross-site scripting prevention flaw, both rated critical.

Drupal patched multiple vulnerabilities in both Drupal 7 and Drupal 8 including a comment reply form flaw that allows access to restricted content and an incomplete JavaScript cross-site scripting prevention flaw, both rated critical.

The comment reply form vulnerability was mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments, according to a 21 February security advisory 

The update also included patches to a private file access bypass flaw, a jQuery vulnerability with untrusted domains, a language fallback can be incorrect on multilingual sites with node access restrictions, and a settings tray access bypass, all of which were rated moderately critical.

A less critical external link injection on 404 page issue that could allow an attacker to trick users into unwillingly navigating to an external site was also addressed.

Topics:
Security

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events