Drupal Releases Security Updates

The very popular website Content Management System Drupal has released security updates to resolve 4 CVEs within versions 6 and 7 of their product. Their pervasiveness of Drupal and thus the huge scale of the risks posed by these issues is detailed in this blog post.

For a definition of the term CVE, please see the first short aside within this blog post for an explanation.

The first security flaw relating to the impersonation of legitimate users (of the Content Management System) is the only flaw to be rated critical by Drupal and should be patched/updated immediately. This flaw could allow a malicious user to log in as an authenticated user (i.e. users who are legitimately accessing the Content Management System) and could be especially severe if that authorized user has high privileges.

A further 2 less critical flaws could cause authenticated users to be re-directed to 3rd party websites of the attacker’s choice without the user’s consent/permission and could place your users in danger of being exploited by other unpatched vulnerabilities on their devices. The final flaw is an information disclosure issue that could allow malicious users to view the content that was previously cached (when they legitimately viewed it) by authenticated users.

Drupal users should upgrade to versions 6.36 or 7.38 to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s