Critical security updates for Drupal (Drupal 8 version 8.4.5 and Drupal 7 version 7.57) have been released and it is essential that any websites using earlier Drupal versions are upgraded as soon as possible to keep them secure and prevent hacks and unauthorised access, including information disclosure, content tampering, and unauthorised file uploads.

Identified vulnerabilities 

full list of the identified vulnerabilities can be found on the Drupal security information page under SA-CORE-2018-001, and are summarised below:

Comment reply form allows access to restricted content – Critical

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

JavaScript cross-site scripting prevention is incomplete – Critical

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

Private file access bypass – Moderately Critical

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

jQuery vulnerability with untrusted domains – Moderately Critical

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

We can help you upgrade

We can upgrade your Drupal website for you with our cost effective Drupal upgrade service. Contact us for more details or if you're an O'Brien Media website hosting customer you can view your Drupal version information and request an upgrade via Client Connect, just log in and access the "My products" section for more information. 

You can find information on upgrading your website yourself in our knowledge base.

Feeling social? Share this with friends and colleagues...

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on email