Drupal Core Critical Access Bypass Vulnerability

Posted on Posted in Drupal

This is a critical Drupal core vulnerability that allows to bypass access control.

A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

Affected versions: Drupal 8 prior to 8.2.8 and 8.3.1.

Recommended action:

  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *