Drupal vulnerability could allow attackers to take over the system

There is a security hole in the Drupal content management system that allows attackers to take control of vulnerable systems. The US cyber security authority CISA is currently warning of this. Updated software to patch the vulnerability is available.

The vulnerability allows access restrictions to be circumvented and affects several Drupal versions, summarizes the CISA in a warning message. Administrators and users of Drupal should apply the necessary updates, the authority advises.

Drupal: Cross-site scripting attack vector

The vulnerability is based on the fact that the Drupal core provides a page with the extensive information that phpinfo() ejects. This is used to diagnose the PHP system configuration. While it is not directly accessible, attackers could gain access to the information if they could perform a cross-site scripting attack against users with elevated privileges.

The vulnerability has not yet received a CVE entry. The Drupal project rates the vulnerability as a moderate risk. However, updated software versions of the CMS seal the security leak. For Drupal 10.0 this is version 10.0.5, for Drupal 9.5 version 9.5.5, for Drupal 9.4 version 9.4.12 and for Drupal 7 version 7.95. The developers point out that all versions of Drupal 9 before 9.4 am End of Life arrived and no longer received security updates. Drupal 8 also have his End of Life reached. If necessary, IT managers should update to a supported Drupal version and apply the available updates in a timely manner.

Last November, the Drupal project had to close vulnerabilities that made websites created with it vulnerable. Attackers could have accessed unauthorized data that was actually isolated.

(dmk)