9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
85.7%
Drupal, the popular open-source content management system, has released security updates to address multiple βmoderately criticalβ vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites.
According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in third-party libraries that are included in Drupal 8.6, Drupal 8.5 or earlier and Drupal 7.
One of the security flaws is a cross-site scripting (XSS) vulnerability that resides in a third-party plugin, called JQuery, the most popular JavaScript library that is being used by millions of websites and also comes pre-integrated in Drupal Core.
Last week, JQuery released its latest version jQuery 3.4.0 to patch the reported vulnerability, which has not yet assigned a CVE number, that affects all prior versions of the library to that date.
> βjQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, β¦). If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype,β the advisory explains.
βItβs possible that this vulnerability is exploitable with some Drupal modules.β
The rest three security vulnerabilities reside in Symfony PHP components used by Drupal Core that could result in cross-site scripting (CVE-2019-10909), remote code execution (CVE-2019-10910) and authentication bypass (CVE-2019-1091) attacks.
Considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update of the CMS as soon as possible:
Almost two months ago, Drupal maintainers patched a critical RCE vulnerability in Drupal Core without releasing any technical details of the flaw that could have allowed remote attackers to hack its customersβ website.
But despite that, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the team rolled out the patched version of its software.
And then, several individuals and groups of hackers started actively exploiting the flaw to install cryptocurrency miners on vulnerable Drupal websites that did not update their CMSes to the latest version.
Last year, attackers also targeted hundreds of thousands of Drupal websites in mass attacks using in the wild exploits leveraging two separate critical remote code execution vulnerabilities, which were dubbed Drupalgeddon2 and Drupalgeddon3.
In those case as well, the attacks started shortly after PoC exploit code for both the vulnerabilities was published on the Internet, which was then followed by large-scale Internet scanning and exploitation attempts.
Long story shortβPatch your websites before it gets too late.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
85.7%