Multiple vulnerabilities in Drupal could allow an authenticated, remote attacker to access sensitive information, bypass security restrictions, modify data, conduct redirection attacks, or conduct cross-site scripting (XSS) attacks on a targeted system.
The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the affected software and improper security restrictions that are implemented by the affected software. An attacker could exploit these vulnerabilities by submitting crafted input to the affected software on a targeted system. A successful exploit could allow the attacker to gain unauthorized access to sensitive information, bypass security restrictions, perform unauthorized changes to certain data, or conduct XSS and redirection attacks on the targeted system.
The following versions of Drupal are vulnerable:
- Drupal 7 versions prior to version 7.57
- Drupal 8 versions prior to version 8.4.5
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
Drupal.org has released a security advisory at the following link: SA-CORE-2018-001
Drupal.org has released software updates at the following links:
FreeBSD has released a VuXML document at the following link: drupal — Drupal Core – Multiple Vulnerabilities
FreeBSD has released ports collection updates at the following link: Ports Collection Index
CVE Number’s :
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.