Drupal releases urgent security patches for several 'moderately critical' flaws

The vulnerabilities affect the third-party libraries in Drupal 8.6, Drupal 8.5 and Drupal 7

Open-source content management system Drupal has released a series of software updates to fix several "moderately critical" vulnerabilities.

The issues, which affect the Drupal Core service, could enable cybercriminals to launch attacks on hundreds of thousands of websites remotely.

In a string of security advisories, the firm confirmed that the vulnerabilities affect the third-party libraries in Drupal 8.6, Drupal 8.5 and Drupal 7.

Among vulnerabilities is a cross-site scripting flaw in JQuery, a third-party plugin used by millions of website across the world.

Drupal said: "jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...).

"If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions."

It went on to explain that the vulnerability could be exploitable with some Drupal modules, recommending: "As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update."

The other flaws affect the Symfony PHP components in Drupal Core, letting hackers conduct cross-site scripting, authentication bypass attacks and remote code execution.

When it comes to mitigating these flaws, Drupal told users to install the latest version of the content management system.

Its recommendations were:

• If you are using Drupal 8.6, update to Drupal 8.6.15.
• If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
• If you are using Drupal 7, update to Drupal 7.66.

However, the firm added that "versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage".

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.