There is a vulnerability in the Drupal content management system that allows attackers to gain control of vulnerable systems. The US cyber security authority CISA is currently warning about this. An updated software is available to patch the vulnerability.
The vulnerability allows around access restrictions and affects multiple versions of Drupal CISA is tight on the warning message together. The authority advises Drupal administrators and users to apply the necessary updates.
Drupal: cross-site scripting attack vector
The vulnerability is based on the fact that the Drupal core provides a page with extensive information that
phpinfo() ejaculate. This is used to diagnose the PHP system configuration. While it cannot be accessed directly, attackers can gain access to the information if they can run a cross-site scripting attack against users with elevated privileges.
The vulnerability has not yet received a CVE entry. The Drupal project rates the vulnerability as a moderate risk. However, updated software versions of the CMS seal the security leak. to Drupal 10.0 is version 10.0.5l Drupal version 9.5.5l Drupal 9.4 as of 9.4.12 And for Drupal 7 version 7.95.0. Developers indicate that all versions of Drupal 9 before 9.4 am end of life Arrived and no longer receives security updates. Drupal 8 has it too end of life receipt. If necessary, IT managers should update to a supported version of Drupal and apply available updates in a timely manner.
Last November, the Drupal project had to close vulnerabilities that made websites built with it vulnerable. The attackers had access to unauthorized data that was already quarantined.
“Prone to fits of apathy. Zombie ninja. Entrepreneur. Organizer. Evil travel aficionado. Coffee practitioner. Beer lover.”