Drupal Core – Critical – Multiple Vulnerabilities

Posted on Posted in Drupal

Multiple vulnerabilities had been recently announced by the Drupal developers.

Description summary:

  • File upload access bypass and denial of service
  • Brute force amplification attacks via XML-RPC
  • Open redirect via path manipulation
  • Form API ignores access restrictions on submit buttons
  • >HTTP header injection using line breaks
  • Open redirect via double-encoded 'destination' parameter
  • Reflected file download vulnerability
  • Saving user accounts can sometimes grant the user all roles
  • Email address can be matched to an account
  • Session data truncation can lead to unserialization of user provided data

Versions affected

  • Drupal core 6.x versions prior to 6.38
  • Drupal core 7.x versions prior to 7.43
  • Drupal core 8.0.x versions prior to 8.0.4

Solution - Install the latest version:

Origin URL: https://www.drupal.org/SA-CORE-2016-001

Leave a Reply

Your email address will not be published. Required fields are marked *