Critical security updates for Drupal (Drupal 8 version 8.4.5 and Drupal 7 version 7.57) have been released and it is essential that any websites using earlier Drupal versions are upgraded as soon as possible to keep them secure and prevent hacks and unauthorised access, including information disclosure, content tampering, and unauthorised file uploads.
Comment reply form allows access to restricted content – Critical
Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
Private file access bypass – Moderately Critical
When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.
jQuery vulnerability with untrusted domains – Moderately Critical
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.
We can help you upgrade
We can upgrade your Drupal website for you with our cost effective Drupal upgrade service. Contact us for more details or if you're an O'Brien Media website hosting customer you can view your Drupal version information and request an upgrade via Client Connect, just log in and access the "My products" section for more information.