There is a security hole in the Drupal content management system that allows attackers to take control of vulnerable systems. The US cyber security authority CISA is currently warning of this. Updated software to patch the vulnerability is available.
The vulnerability allows access restrictions to be circumvented and affects several Drupal versions, summarizes the CISA in a warning message. Administrators and users of Drupal should apply the necessary updates, the authority advises.
Drupal: Angriffsvektor Cross-Site-Scripting
The vulnerability is based on the fact that the Drupal core provides a page with the extensive information that phpinfo() throws out. This is used to diagnose the PHP system configuration. While it is not directly accessible, attackers could gain access to the information if they could run a cross-site scripting attack against users with elevated privileges.
The vulnerability has not yet received a CVE entry. The Drupal project rates the vulnerability as a moderate risk. However, updated software versions of the CMS seal the security leak. For Drupal 10.0 this is version 10.0.5, for Drupal 9.5 version 9.5.5, for Drupal 9.4 version 9.4.12 and for Drupal 7 version 7.95. The developers point out that all versions of Drupal 9 prior to 9.4 have reached end-of-life and will no longer receive security updates. Drupal 8 has also reached its end of life. If necessary, IT managers should update to a supported Drupal version and apply the available updates in a timely manner.
Last November, the Drupal project had to close vulnerabilities that made websites created with it vulnerable. Attackers could have accessed unauthorized data that was actually isolated.
(dmk)
To home page
