Drupal Core – Multiple Vulnerabilities

Posted on Posted in Drupal

Decription: Multiple Vulnerabilities had been recently addressed by the Drupal team.

List:

  • Inconsistent name for MySQL term access query - information on taxonomy terms might have been disclosed to unprivileged users.
  • Incorrect cache context on password reset page - unwanted content on the password reset page
  • Confirmation forms allow external URLs to be injected - malicious users could construct a URL to a confirmation form to have users redirected to a 3rd party website after interacting with the confirmation form
  • Denial of service via transliterate mechanism - specially crafted URL can cause a denial of service via the transliterate mechanism

Affected versions:

  • Drupal core 7.x versions prior to 7.52
  • Drupal core 8.x versions prior to 8.2.3

Recommended action:

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *