Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough
Sep 16 2020
Sep 16
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureCVE IDs: CVE-2020-13670Description: 

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 
Sep 16 2020
Sep 16
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13667Description: 

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

Reported By: Fixed By: 
Sep 16 2020
Sep 16
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13669Description: 

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 
Sep 16 2020
Sep 16
Project: Drupal coreDate: 2020-September-16Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13668Description: 

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.

Reported By: Fixed By: 
Sep 16 2020
Sep 16
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13666Description: 

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true", or you'll need to use the jQuery AJAX API directly.

If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

Updates

Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

The update to Drupal 7 is likely to cause a regression in AJAX functionality on sites which use jQuery 1.5 (for example via the jQuery Update module). This issue seems to specifically affect jQuery 1.5; the version included in Drupal 7 core (1.4.4) and versions 1.6 and later do not suffer from the regression.

Reported By: Fixed By: 
Jun 17 2020
Jun 17
Project: Drupal coreDate: 2020-June-17Security risk: Less critical 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13665 Description: 

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
Jun 17 2020
Jun 17
Project: Drupal coreDate: 2020-June-17Security risk: Critical 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2020-13664Description: 

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
Jun 17 2020
Jun 17
Project: Drupal coreDate: 2020-June-17Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13663Description: 

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Solution: 

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
May 20 2020
May 20
Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open RedirectCVE IDs: CVE-2020-13662 Description: 

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.

Solution: 

Install the latest version:

Reported By: Fixed By: 
May 20 2020
May 20
Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

These vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on Drupal 7 sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to Drupal sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

(Note: the backwards compatibility layer will not be included in the upcoming Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes, and sites should correct tags in JavaScript to properly use closing tags.)

If you find a regression caused by the jQuery changes, please report it in Drupal core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Drupal Security Team.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive security coverage. Sites on 8.6 or earlier should update to 8.7.14.

The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery to version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.

Reported By: Fixed By: 
Mar 18 2020
Mar 18
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2020-March-18Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Third-party libraryDescription: 

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Note for Drupal 7 users

Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.

Dec 18 2019
Dec 18
Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Edited to clarify the nature of the upstream release.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

(Note that this SA is the only one in the list that applies to Drupal 7.x)

Reported By: Fixed By: 
Dec 18 2019
Dec 18
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Solution: 
  • If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
  • If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 
Dec 18 2019
Dec 18
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: 

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Solution: 

Install the latest version:

  • If you use Drupal core 8.7.x: 8.7.11
  • If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 
Dec 18 2019
Dec 18
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 
Feb 25 2019
Feb 25
Date: 2019-February-25Description: 

This PSA is now out of date. Read: Extending Drupal 7's End-of-Life - PSA-2020-06-24

Drupal 7 was first released in January 2011. In November 2021, after over a decade, Drupal 7 will reach end of life (EOL). (More information on why this date was chosen.) Official community support for version 7 will end, along with support provided by the Drupal Association on Drupal.org. This means that automated testing services for Drupal 7 will be shut down, and there will be no more updates provided by the Drupal Security Team.

When this occurs, Drupal 7 will be marked end-of-life in the update manager, which appears in the Drupal administrative interface. Updates, security fixes, and enhancements will no longer be provided by the community, but may be available on a limited basis from select commercial vendors.

If you have a site that is running on Drupal 7, now is the time to start planning the upgrade. Note that the transition from Drupal 8 to Drupal 9 will not be the significant effort that the transition from 7 to 8 was. In fact, the first release of Drupal 9 will be identical to the last release of Drupal 8, except with deprecated code removed and dependencies updated to newer versions. (See Plan for Drupal 9 for more information on Drupal 9.)

What this means for your Drupal 7 sites is, as of November 2021:

  • Drupal 7 will no longer be supported by the community at large. The community at large will no longer create new projects, fix bugs in existing projects, write documentation, etc. around Drupal 7.
  • There will be no more core commits to Drupal 7.
  • The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. Reports about Drupal 7 vulnerabilities might become public creating 0 day exploits.
  • All Drupal 7 releases on all project pages will be flagged as not supported. Maintainers can change that flag if they desire to.
  • On Drupal 7 sites with the update status module, Drupal Core will show up as unsupported.
  • After November 2021, using Drupal 7 may be flagged as insecure in 3rd party scans as it no longer gets support.
  • Best practice is to not use unsupported software, it would not be advisable to continue to build new Drupal 7 sites.
  • Now is the time to start planning your migration to Drupal 8.

If, for any reason, you are unable to migrate to Drupal 8 or 9 by the time version 7 reaches end of life, there will be a select number of organizations that will provide Drupal 7 Vendor Extended Support (D7ES) for their paying clients. This program is the successor to the successful Drupal 6 LTS program. Like that program, it will be an additional paid service, fully operated by these organizations with some help from the Security Team.

The Drupal Association and Drupal Security Team will publish an announcement once we have selected the Drupal 7 Vendor Extended Support partners.

If you would like more information about the Drupal release cycle, consult the official documentation on Drupal.org. If you would like more information about the upcoming release of Drupal 9, join us at DrupalCon Seattle.

Information for organizations interested in providing commercial Drupal 7 Vendor Extended Support

Organizations interested in providing commercial Drupal 7 Vendor Extended Support to their customers and who have the technical knowledge to maintain Drupal 7 are invited to fill out the
application for the Drupal 7 Vendor Extended Support team. The application submission should explain why the vendor is a good fit for the program, and explain how they meet the requirements as outlined below.

Base requirements for this program include:

  • You must have experience in the public issue queue supporting Drupal 7 core or Drupal 7 Modules. You should be able to point to a history of such contribution. One way to measure this is issue credits, but there are other ways. You must continue this throughout your enrollment in the program. If you have other ways to show your experience, feel free to highlight them.
  • You must make a commitment to the Security Team, the Drupal Association, and your customers that you will remain active in this program for 3 years.
  • As a partner, you must contribute to at least 20% of all Drupal 7 Vendor Extended Support module patches and 80% of D7ES core patches in a given year. (Modules that have been moved into core in Drupal 8 count as part of core metrics in Drupal 7) .
  • Any organization involved in this program must have at least 1 member on the Drupal Security Team for at least 3 months prior to joining the program and while a member of the program. (See How to join the Drupal Security Team for information.) This person will need a positive evaluation of their contributions from the Security Working Group.
  • Payment of an Drupal 7 Vendor Extended Support annual fee for program participation is required (around $3000 a year). These fees will go to communication tools for the Drupal 7 Vendor Extended Support vendors and/or the greater community.
  • Payment of a $450 application fee is required.
  • Your company must provide paid support to Drupal 7 clients. This program is not for companies that don't provide services to external clients.
  • Application review process:

  1. We will confirm that each vendor meets the requirements outlined above and is a good fit for the program.
  2. If the Security Working Group does not think you are a good fit, we will explain why and decline your application. If you are rejected, you are able to reapply. Most rejections will be due to Organizations not having enough ongoing contribution to Drupal 7 and Organizations not having a Drupal Security Team member at their organization.
  3. The Drupal Association signs off on your participation in the program.
  4. If you are accepted, you will be added to the Drupal 7 Vendor Extended Support vendor mailing list.
  5. The Security Working Group will do a coordinated announcement with the vendors to promote the program.

If you have any questions you can email [email protected]

Feb 19 2019
Feb 19
Date: 2019-February-19Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonDescription: 

There will be a security release of 8.5.x and 8.6.x on February 20th 2019 between 1PM to 5PM America/New York (1800 to 2200 UTC). (To see this in your local timezone, refer to the Drupal Core Calendar) . The risk on this is currently rated at 20/25 (Highly critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Not all configurations are affected. Reserve time on February 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

Contributed module security updates may also be required.

If you are running Drupal 7, no core update is required, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time.

Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Security release announcements will appear on the Drupal.org security advisory page.

Jan 16 2019
Jan 16
Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2019-6339Description: 

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Solution: 
  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Known issues

This fix introduced a fatal error for some Drush installations when updating a site with Drush. New releases (8.6.7, 8.5.10, and 7.63) have been issued to resolve this regression. See the release notes for additional details.

Update information

.phar added to dangerous extensions list

The .phar file extension has been added to Drupal's dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a .php extension.

phar:// stream wrapper disabled by default for Drupal 7 sites on PHP 5.3.2 and earlier

The replacement stream wrapper is not compatible with PHP versions lower than 5.3.3. Drupal 8 requires a higher PHP version than that, but for Drupal 7 sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.

It is very uncommon to both be running a PHP version lower than 5.3.3 and to need phar support. If you're in that situation, consider upgrading your PHP version instead of restoring insecure phar support.

Reported By: Fixed By: 

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Jan 16 2019
Jan 16
Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Third Party Libraries CVE IDs: CVE-2019-6338Description: 

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Solution: 
  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By: Fixed By: 

Known issues

Users are reporting seeing a fatal error when updating their sites with Drush. Site owners may be able to run drush updb and either drush cc all or drush cr depending on the version to complete the update. Check the status report afterward to confirm that Drupal has been updated. See https://www.drupal.org/project/drupal/issues/3026386 for details.

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Oct 17 2018
Oct 17
  • Advisory ID: DRUPAL-SA-CORE-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden. StateTransitionValidationInterface An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Aug 01 2018
Aug 01
  • Advisory ID: DRUPAL-SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01

Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x
Jul 30 2018
Jul 30
Date: 2018-July-30Description: 

The Drupal Security Team will be coordinating a security release for Drupal 8 this week on Wednesday, August 1, 2018. (We are issuing this PSA in advance because the in the regular security release window schedule, August 1 would not typically be a core security window.)

The Drupal 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm EDT). It is rated as moderately critical and will be an update to a vendor library only.

August 1 also remains a normal security release window for contributed projects.

Updates

  • 2018-07-31 — Made the time window consistent with the normal security release window.
  • 2018-08-01 — Added UTC times in addition it EDT.
Jun 07 2018
Jun 07

Various media outlets are reporting that a large number of Drupal sites are still vulnerable to the recent highly critical core vulnerabilities SA-CORE-2018-002 and SA-CORE-2018-004.

Those reports are all based on the same source. The source investigated the contents of CHANGELOG.txt of a large number of sites and assumed all sites reporting a version lower than 7.58 to be vulnerable.

Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector. Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.

We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information. The Drupal project has a long history of a reliable coordinated disclosure security program. For the past 4 years, the Drupal Security Team has provided support to journalists covering our releases and policies and is available for further enquiries.

If you are a member of the press and want the Drupal Security Team to comment, please contact [email protected].

Jun 07 2018
Jun 07

Various media outlets are reporting that a large number of Drupal sites are still vulnerable to the recent highly critical core vulnerabilities SA-CORE-2018-002 and SA-CORE-2018-004.

Those reports are all based on the same source. The source investigated the contents of CHANGELOG.txt of a large number of sites and assumed all sites reporting a version lower than 7.58 to be vulnerable.

Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector. Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.

We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information. The Drupal project has a long history of a reliable coordinated disclosure security program. For the past 4 years, the Drupal Security Team has provided support to journalists covering our releases and policies and is available for further enquiries.

If you are a member of the press and want the Drupal Security Team to comment, please contact [email protected].

Apr 25 2018
Apr 25
Project: Drupal coreDate: 2018-April-25Security risk: Highly critical 20∕25 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code ExecutionCVE IDs: CVE-2018-7602Description: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: Fixed By: 
Apr 23 2018
Apr 23
Date: 2018-April-23Description: 

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

This security release is a follow-up to the one released as SA-CORE-2018-002 on March 28.

  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
  • Sites on 8.4.x should immediately update to the 8.4.8 release that will be provided in the advisory, and then plan to update to 8.5.3 or the latest security release as soon as possible (since 8.4.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for each branch. Your site's update report page will recommend the 8.5.x release even if you are on 8.4.x or an older release, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition to the releases mentioned above. (If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security coverage and will not receive a security update. The provided patches may work for your site, but upgrading is strongly recommended as older Drupal versions contain other disclosed security vulnerabilities.)

This release will not require a database update.

The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: login on Drupal.org, go to your user profile page, and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email [email protected] to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.
If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

Apr 18 2018
Apr 18
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-9861Description: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: Fixed By: 
Apr 13 2018
Apr 13
Date: 2018-April-13Security risk: Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:DefaultDescription: 

Description

This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.

The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25

Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.

Simply updating Drupal will not remove backdoors or fix compromised sites. You should assume that the host is also compromised and that any other sites on a compromised host are compromised as well.

If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.

What to do if your site may be compromised

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what.”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is very difficult to be certain all backdoors have been found.

If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information please refer to this guide on hacked sites.

Contact and More Information

We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read more at FAQ on SA-CORE-2018-002.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Mar 28 2018
Mar 28
Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code Execution CVE IDs: CVE-2018-7600Description: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Edited 2020, February 13 to fix links to patch files.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: Fixed By: 

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Mar 28 2018
Mar 28

How many sites are likely affected?

Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.

How dangerous is this issue?

Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 24/25 (Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default.

In the long form this means:

  • How difficult is it for the attacker to leverage the vulnerability? None (user visits page).
  • What privilege level is required for an exploit to be successful? None (all/anonymous users).
  • Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.
  • Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.
  • Does a known exploit exist? Exploit exists (documented or deployed exploit code already in the wild).
  • What percentage of users are affected? Default or common module configurations are exploitable, but a config change can disable the exploit.

Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to upgrade.

Who found this issue?

The issue was identified by Jasper Mattsson (Jasu_M) as part of general research into the security of Drupal. Jasper works for Druid who provide a variety of services including security audits of Drupal sites.

Over the years, security issues in Drupal have been found a variety of ways including researchers with personal motivation and through paid penetration tests or security audits. Drupal site owners concerned about security are encouraged to hire security firms to review their site.

What could an attacker do on a vulnerable site?

A successful exploit of the vulnerability can have a dramatic impact on the site. See the description of the risk score for details.

Is the issue being exploited?

Exploits have been developed. Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.

Simply updating Drupal will not remove backdoors or fix compromised sites. Site builders should therefore update their sites immediately and then investigate to see if their site was compromised, perhaps following the guide for fixing a compromised site. See Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002.

My site has been hacked, what should I do now?

Whether it was exploited via this issue or some prior issue, there is a general guide for "hacked" sites.

I manage a Drupal 6 site, is a fix available?

Yes, Drupal 6 is also affected and the Drupal 6 Long Term Support project has patches available.

What other security measures might I put in place to improve my site's security.

A few general suggestions include:

I manage a Drupal 8.0/8.1/8.2 site, is a fix available?

Previous minor versions of Drupal 8 are not supported after a new minor release is created. If your site is currently on a Drupal release prior to 8.3.8, there are other disclosed security vulnerabilities that may affect your site. For this reason, you should immediately update to at least Drupal 8.3.9 or 8.4.6, then plan to update to Drupal 8.5.1 or higher within the next month.

I can't update my site, what can I do to mitigate the problem?

There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a "Basic Auth" password to prevent access to the site.

List of updates

This FAQ may be updated and any updates will be summarized here.

Mar 21 2018
Mar 21
Date: 2018-March-21Description: 
  • Advisory ID: DRUPAL-PSA-2018-001
  • Project: Drupal Core
  • Version: 7.x, 8.x
  • Date: 2018-March-21

Description

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:

  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.

The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This will not require a database update.

Patches for Drupal 7.x and 8.3.x, 8.4.x, 8.5.x and 8.6.x will be provided.

The CVE for this issue is CVE-2018-7600. The Drupal-specific identifier for the issue is SA-CORE-2018-002.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email [email protected] to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.

If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

updated 2018-03-22: Added information about database updates

updated 2018-03-27: Added information about patches

updated 2018-03-28: Added information about CVE and identifiers

Feb 21 2018
Feb 21
Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains (the CVE for this issue in jQuery is CVE-2015-9251). This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

Reported By: 
  • Comment reply form allows access to restricted content - Critical - Drupal 8

  • JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)

  • Private file access bypass - Moderately Critical - Drupal 7

  • jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7

  • Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8

  • Settings Tray access bypass - Moderately Critical - Drupal 8

  • External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7

Fixed By: 

Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002

Aug 17 2017
Aug 17
Aug 17 2017
Aug 17
Date: 2017-August-17Description: 
  • Advisory ID: DRUPAL-PSA-2017-002
  • Project: Drupal contributed modules
  • Version: 7.x, 8.x
  • Date: 2017-Aug-16

Description

The Drupal Security Team is now aware that the Views ajax access bypass vulnerability (DRUPAL-SA-CONTRIB-2017-068 and SA-CORE-2017-004) released 16 Aug 2017 is more severe than originally announced, because many widely used contrib modules don't have access restrictions set on the default views they provide. Any view that does not have access controls on the default (master) display may be vulnerable. The vulnerability does not require any authentication to be exploited. A successful exploit results in some non-public data being made public.

Sites running versions of Views prior to 7.x-3.17 or Drupal 8 core prior to version 8.3.7 (including Drupal 8.1.x and 8.2.x) should update immediately. Drupal 7 core is only affected if the Views module is enabled.

If you are unable to update Views, you can mitigate this by editing views that contain sensitive data in the Views UI and making sure they utilise one of the permission controls - such as 'require a role' or 'require a permission'. See Views permissions manual page for more information.

Contact and More Information

The Drupal Security Team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security Team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Aug 16 2017
Aug 16

Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities.

Download Drupal 8.3.7

Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

Description

Views - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6923

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

REST API can bypass comment approval - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6924

When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.

This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical - Drupal 8 - CVE-2017-6925

There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

Versions affected

  • Drupal core 8.x versions prior to 8.3.7

Solution

Install the latest version:

Drupal 7 core is not affected, however, Drupal 7 Views is: see Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

Also see the Drupal core project page.

Reported by

Views - Access Bypass

REST API can bypass comment approval - Access Bypass

Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass

Fixed by

Views - Access Bypass

REST API can bypass comment approval - Access Bypass

Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Jul 17 2017
Jul 17

Symfony contacted the Drupal Security team about today's Symfony security release addressing an issue in UserPasswordValidator. This announcement is to reassure the Drupal community that Drupal 8 is not affected by this fix, as it does not make use of this security component. There is no Drupal 8 release scheduled for this, and there is no action you need to take on your Drupal site(s).

Jun 21 2017
Jun 21

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.

Download Drupal 8.3.4 Download Drupal 7.56

Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-003
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2017-June-21
  • Multiple vulnerabilities

Description

PECL YAML parser unsafe object handling - Critical - Drupal 8 - CVE-2017-6920

PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.

File REST resource does not properly validate - Less Critical - Drupal 8 - CVE-2017-6921

The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - Moderately Critical - Drupal 7 and Drupal 8 - CVE-2017-6922

Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Versions affected

  • Drupal core 7.x versions prior to 7.56
  • Drupal core 8.x versions prior to 8.3.4

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

PECL YAML parser unsafe object handling

File REST resource does not properly validate

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

Fixed by

PECL YAML parser unsafe object handling

File REST resource does not properly validate

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x
Apr 19 2017
Apr 19

Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

CVE identifier(s) issued

  • CVE-2017-6919

Versions affected

  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.

Solution

  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

  • The Drupal Security team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 8 core upcoming critical release PSA-2017-001

Apr 17 2017
Apr 17
Apr 17 2017
Apr 17
Date: 2017-April-17Description: 
  • Advisory ID: DRUPAL-PSA-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-Apr-17

Description

There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.

This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.

Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and vulnerability disclosure best practices.

We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptable.

Drupal 7 core is not affected by this issue.

Contact and More Information

The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.

Pages

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web