![]() ![]() Drupal v7.x is still maintained and receives security updates, but it will reach end-of-life in November of 2021, so admins that use it are urged to start planning the upgrade to a newer version, preferably 9.x. A remote attacker could exploit this vulnerability using. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. ![]() “An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.” What to do?Īdmins of Drupal-based sites are advised to upgrade to Drupal v7.72, 8.8.8, 8.9.1 or 9.0.1. Pentest-tools Drupal security scanner is a robust tool used to identify potential security flaws with Drupal websites. In this case, an attacker can manipulate their input data to include XSS content on the web page, for example, malicious JavaScript code, which in-turn would be consumed by Drupal Core itself,” the company explained. XSS can cause significant violations on the application or for the client by injecting harmful scripts into the place where a web application receives user. “This type of XSS attack is achievable if a web application enters data to the DOM without being appropriately sanitized. The third one – CVE-2020-13663 – also affects Drupal 7.x, the most widely used Drupal version (both according to Drupal and W3Techs).ĬVE-2020-13663 is a document object model-based cross-site scripting (DOM XSS) vulnerability that was unearthed by Checkmarx researcher Dor Tumarkin. (By default, JSON:API works in a read-only mode.)īoth of these flaws affect Drupal versions 8.8.x, 8.9.x and 9.0.x. Vulnerability Breakdown A reflected XSS vulnerability occurs when an attacker can provide values to a victim via a crafted URL or webpage, which, once interacted with by the victim, passes tainted parameters to a webpage in the user’s browser. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” Drupal’s security team explained, and added that Windows servers are most likely to be affected.ĬVE-2020-13665 is an access bypass flaw that can be exploited only on sites that have the read_only set to FALSE under ttings configuration. Drupal has been found vulnerable to another critical vulnerability that could allow. “An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. Read the latest updates about XSS vulnerability on The Hacker News. Three security holes have been plugged with the latest versions of Drupal core (9.0.1):ĬVE-2020-13664 is the most critical one, but can be only triggered under certain circumstances. About the most recently fixed vulnerabilities The most recent stable version is 9.x, released earlier this month. Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.ĭrupal is a free and open-source web content management system (CMS), and over a million sites run on various versions of it.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |