Drupal Core – Multiple Vulnerabilities

Decription: Multiple Vulnerabilities had been recently addressed by the Drupal team. List: Inconsistent name for MySQL term access query – information on taxonomy terms might have been disclosed to unprivileged users. Incorrect cache context on password reset page – unwanted content on the password reset page Confirmation forms allow external URLs to be injected – […]

Continue reading ...

Drupal Core – Critical – Multiple Vulnerabilities

Decription: Multiple Vulnerabilities had been recently fixed by drupal team. Changes: Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. An attacker could create a specially crafted url, which could execute arbitrary code in the […]

Continue reading ...

Drupal Core – Injection (Highly Critical)

Decription: Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/. Affected versions: Drupal core 8.x versions prior to 8.1.7 Recommended action: Install the latest version: If you use Drupal 8.x, upgrade to […]

Continue reading ...

Remote code execution in Drupal

Decription: There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25) The following modules have security releases that are now available, listed in order of severity. There are no more releases planned for today. RESTWS […]

Continue reading ...

Drupal Core – Multiple Vulnerabilities

Decription: Multiple vulnerabilities have been recently fixed in Drupal core: Saving user accounts can sometimes grant the user all roles (User module – Drupal 7) A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all […]

Continue reading ...

Drupal Core – Critical – Multiple Vulnerabilities

Multiple vulnerabilities had been recently announced by the Drupal developers. Description summary: File upload access bypass and denial of service Brute force amplification attacks via XML-RPC Open redirect via path manipulation Form API ignores access restrictions on submit buttons >HTTP header injection using line breaks Open redirect via double-encoded ‘destination’ parameter Reflected file download vulnerability […]

Continue reading ...